Audit Report

Maryland Department of Health

Regulatory Services

January 2021

OFFICE OF LEGISLATIVE AUDITS

DEPARTMENT OF LEGISLATIVE SERVICES
MARYLAND GENERAL ASSEMBLY
 Joint Audit and Evaluation Committee
Senator Clarence K. Lam, M.D. (Senate Chair) Delegate Carol L. Krimm (House Chair)
Senator Malcolm L. Augustine Delegate Steven J. Arentz
Senator Adelaide C. Eckardt Delegate Mark S. Chang
Senator George C. Edwards Delegate Andrea Fletcher Harrison
Senator Katie Fry Hester Delegate Keith E. Haynes
Senator Cheryl C. Kagan Delegate David Moon
Senator Benjamin F. Kramer Delegate April R. Rose
Senator Cory V. McCray Delegate Geraldine Valentino-Smith
Senator Justin D. Ready Delegate Karen Lewis Young
Senator Craig J. Zucker One Vacancy

To Obtain Further Information

Office of Legislative Audits
301 West Preston Street, Room 1202
Baltimore, Maryland 21201
Phone: 410-946-5900 ꞏ 301-970-5900 ꞏ 1-877-486-9964 (Toll Free in Maryland)
Maryland Relay: 711
TTY: 410-946-5401 ꞏ 301-970-5401
E-mail: [email protected]
Website: www.ola.state.md.us

To Report Fraud
The Office of Legislative Audits operates a Fraud Hotline to report fraud, waste, or abuse involving State
of Maryland government resources. Reports of fraud, waste, or abuse may be communicated anonymously
by a toll-free call to 1-877-FRAUD-11, by mail to the Fraud Hotline, c/o Office of Legislative Audits, or
through the Office’s website.

Nondiscrimination Statement
The Department of Legislative Services does not discriminate on the basis of age, ancestry, color, creed,
marital status, national origin, race, religion, gender, gender identity, sexual orientation, or disability in the
admission or access to its programs, services, or activities. The Department’s Information Officer has been
designated to coordinate compliance with the nondiscrimination requirements contained in Section 35.107
of the United States Department of Justice Regulations. Requests for assistance should be directed to the
Information Officer at 410-946-5400 or 410-970-5400.
 January 19, 2021

Senator Clarence K. Lam, M.D., Senate Chair, Joint Audit and Evaluation Committee
Delegate Carol L. Krimm, House Chair, Joint Audit and Evaluation Committee
Members of Joint Audit and Evaluation Committee
Annapolis, Maryland

Ladies and Gentlemen:

We have conducted a fiscal compliance audit of Regulatory Services, a

budgetary unit within the Maryland Department of Health (MDH), for the
period beginning September 28, 2015 and ending September 24, 2019.
Regulatory Services consists of 22 Health Professional Boards and
Commissions (HPBCs) and the Office of Health Care Quality (OHCQ). The
various HPBCs and OHCQ are responsible for licensing and regulating health
professionals (such as physicians, nurses, and pharmacists) and health care
facilities in the State.

Our audit disclosed issues with the monitoring of certain licensees. Specifically,
the Board of Nursing and Board of Professional Counselors and Therapists did
not provide sufficient oversight of complaint investigations against licensees. As
a result, numerous complaints received by the Boards were not investigated in a
timely manner. For example, the Board of Nursing received 8,238 complaints
during our audit period. We noted that 3,272 of these complaints were still under
investigation as of March 2020, including 2,790 complaints for which there had
been an open investigation for more than one year. The timely investigation and
resolution of complaints is critical since licensees continue to practice until
investigations are completed and any actions deemed necessary are taken.
Additionally, as noted in MDH audit reports dating back to 2004, OHCQ had not
performed annual inspections for a number of licensed assisted living facilities
and developmental disabilities service providers.

Certain HPBCs had not established adequate controls over cash receipts. For
example, for 7 HPBCs, employees who were responsible for handling collections
also had access to the licensing systems, which gave them the capability to issue
or renew the related licenses. These functions should be separated to ensure
collections are properly controlled. Our audit also disclosed that 21 HPBCs did
not ensure user access capabilities in their respective licensing systems were
properly restricted. For example, 63 employees at 12 HPBCs could unilaterally
issue or renew a license. Our audit also disclosed that certain controls over the
licensing systems used by two HPBCs were not sufficient to protect critical
licensee data.

Furthermore, we noted that the Board of Dental Examiners did not prepare written
justifications to support the sole source procurement of two contracts or obtain
Department of Information Technology (DoIT) and BPW approval for the
contracts, as required.

Finally, we believe that certain of our findings could be the result of insufficient
individual board resources. Consequently, although this may be an area for
further study, we noted opportunities for consolidating licensing, procurement,
and other fiscal functions of the HPBCs. Although this course of action is not
required by any statute or regulation, we believe that consolidating these
processes would allow the HPBCs to resolve certain internal control deficiencies
commented upon in this report. In addition, consolidation could increase
efficiencies and achieve unspecified cost savings. For example, consolidating
procurements to leverage the HPBCs collective purchasing power could result in
enhanced competition and potential volume discounts.

Our audit included a review to determine the status of the eight findings
contained in our preceding Regulatory Services audit report. We determined
that Regulatory Services satisfactorily addressed three of these findings. The
remaining five findings are repeated in this report, two of which are combined
and presented as one finding.

MDH’s response to this audit, on behalf of Regulatory Services, is included as an

appendix to this report. We reviewed the response to our findings and related
recommendations, and have concluded that the corrective actions identified are
sufficient to address all audit issues.

We wish to acknowledge the cooperation extended to us during the audit by

Regulatory Services. We also wish to acknowledge MDH’s and Regulatory

2
Services’ willingness to address the audit issues and implement appropriate
corrective actions.

Respectfully submitted,

Gregory A. Hook, CPA

Legislative Auditor

3
4
 Table of Contents

Background Information 7

Agency Responsibilities 7
Organizational Change 7
Status of Findings From Preceding Audit Report 7

Findings and Recommendations 9

Complaint Tracking
* Finding 1 – The Board of Nursing and the Board of Professional 9
Counselors and Therapists did not provide sufficient oversight to
ensure that complaints against licensees were timely investigated.
Our review disclosed that numerous complaints were not investigated
within one year.

Inspections
* Finding 2 – The Office of Health Care Quality did not conduct required 10
annual inspections of all assisted living facilities and developmental
disabilities service providers as required.

Cash Receipts
* Finding 3 – Controls over collections and deposits received at the Health 13
Professional Boards and Commissions (HPBCs) were not adequate,
and duties related to cash receipts and licensing were not properly
segregated.

Licensing Systems Access

Finding 4 – Twenty-one HPBCs did not perform documented system 16
access reviews of their licensing system to ensure that user access
capabilities were adequately restricted. As a result, numerous users
could unilaterally issue or renew licenses and current or former
employees had unnecessary system access.

Information Systems Security and Control

* Finding 5 – Password and account controls for the Board of Nursing and 19
the Board of Pharmacy were not sufficient to properly protect critical
data.

* Denotes item repeated in full or part from preceding audit report

5
Procurements
Finding 6 – The Board of Dental Examiners did not comply with State 20
procurement regulations when awarding two sole source contracts
totaling $302,000 to a vendor for a new licensing system.

Consolidation of Operations
Finding 7 (Policy Issue) – Consolidation of licensing, procurement, 21
and other fiscal operations to enhance internal controls and
maximize efficiencies had not been pursued by the HPBCs.

Audit Scope, Objectives, and Methodology 23

Agency Response Appendix

6
 Background Information

Agency Responsibilities

Regulatory Services is a separate budgetary unit within the Maryland Department

of Health (MDH) which consists of 22 Health Professional Boards and
Commissions (HPBCs) and the Office of Health Care Quality (OHCQ). The
various HPBCs are responsible for licensing and regulating health professionals,
and OHCQ is responsible for regulating health care facilities in the State.
According to the State’s records, OHCQ and the 22 HPBCs total fiscal year 2019
revenues were approximately $56.9 million and fiscal year 2019 expenditures
totaled approximately $59.0 million, with the majority coming from special funds
($37.5 million).

Organizational Change

Chapter 739, Laws of Maryland 2016, effective October 1, 2016, separated the
Board of Chiropractic and Massage Therapy Examiners into the Board of
Chiropractic Examiners and the Board of Massage Therapy Examiners. This law
also eliminated the special, non-lapsing fund previously shared by the two boards
by establishing the State Board of Chiropractic Examiners Fund and the State
Board of Massage Therapy Examiners Fund.

Status of Findings From Preceding Audit Report

Our audit included a review to determine the status of the eight findings contained
in our preceding audit report dated April 26, 2017. As disclosed in Table 1
below, we determined that Regulatory Services satisfactorily addressed three of
these findings. The remaining five findings are repeated in this report, two of
which were combined and presented as one finding in this report.

7
 Table 1
Status of Preceding Findings
Preceding Implementation
Finding Description
Finding Status
The Board of Professional Counselors and Therapists
did not properly track complaints against licensees,
Repeated
Finding 1 resulting in complaints not being investigated and
(Current Finding 1)
submitted to the Office of the Attorney General in a
timely manner.
The Board of Nursing did not always take timely
action to suspend the licenses of delinquent
Finding 2 Not repeated
noncustodial parents referred by the Child Support
Administration as required by State law.
The Office of Health Care Quality did not conduct
Repeated
Finding 3 annual inspections of certain health care facilities as
(Current Finding 2)
required.
The Maryland Medical Cannabis Commission
improperly used interagency agreements with a State
Finding 4 Not repeated
university to procure license application evaluation
services.
Certain boards did not adequately control and account Repeated
Finding 5
for collections. (Current Finding 3)
Seventeen boards and commissions did not ensure
Repeated
Finding 6 that employees handling collections were denied the
(Current Finding 3)
capability to issue or renew licenses.
The Board of Physicians did not adequately monitor a
Finding 7 rehabilitation services vendor and did not always Not repeated
obtain documentation to support amounts invoiced.
Password and account controls for the Boards of
Repeated
Finding 8 Nursing, Physicians, and Pharmacy were not
(Current Finding 5)
sufficient to properly protect critical data.

8
 Findings and Recommendations

Complaint Tracking

Finding 1
The Board of Nursing and the Board of Professional Counselors and
Therapists did not provide sufficient oversight to ensure that complaints
against licensees were investigated timely. Our review disclosed that
numerous complaints were not investigated within one year.

Analysis
Our review of the complaint tracking procedures for 2 of the 22 Health
Professional Boards and Commissions (HPBCs), the Board of Nursing and the
Board of Professional Counselors and Therapists, disclosed that neither Board
provided sufficient oversight to ensure that complaints against licensees were
investigated timely. Our audit disclosed a significant number of complaints
received by these Boards that were still under investigation more than one year
after the complaints were received.

The Board of Nursing did not periodically review logs to ensure that
investigations were conducted timely. In addition, while cases were tracked in
separate logs maintained by three Board investigative staff, we noted that each log
did not include all critical information. For example, the logs for two of the
investigators lacked the date that the Board received the complaint and therefore,
the Board could not readily determine the timeliness of the investigation.
According to its licensing system, which contained certain information regarding
complaints but was not used to track the status of the related investigations, the
Board of Nursing received 8,238 complaints during the period from September
2015 to September 2019. As of March 2020, 3,272 of these complaints were still
under investigation or not yet investigated. Our review of these 3,272 complaints
disclosed that 2,790 had been open for more than one year, including 151
complaints received during calendar year 2015.

For the Board of Professional Counselors and Therapists, while we were advised
that the Board periodically reviewed its complaint log, this review was not
effective since the log was not completed for certain investigations. Specifically,
our review of the 225 complaints recorded in the log during the period from April
2017 to June 2019 disclosed 44 complaints that had been open for more than one
year and for which the log was not updated to reflect the current status of the
investigations. For example, the date the case was assigned to an investigator had
not been recorded for 30 of these 44 complaints. A similar condition regarding
the Board of Professional Counselors and Therapists not properly monitoring

9
complaints and maintaining a tracking log that did not include all critical
information was commented upon in our preceding audit report.

In accordance with State law, the Secretary of MDH had developed guidelines
with timeliness goals for complaint resolution by the HPBCs. The guidelines
established a goal of 3 to 12 months for the completion of a complaint
investigation and a determination to bring charges with the Office of the Attorney
General (OAG), with the specific goal for the Board Nursing being 270 days.
Adequate tracking and timely resolution of complaints is critical since licensed
individuals continue to practice until the OAG takes action.

Recommendation 1
We recommend that the Board of Nursing and Board of Professional
Counselors and Therapists
a. properly monitor complaints (such as by periodically reviewing the
tracking logs) and develop a strategy to ensure the timely disposition of
complaints (repeat); and
b. properly maintain the tracking logs and ensure the logs reflect all critical
information, including key dates such as initial receipt (repeat).

Inspections

Finding 2
The Office of Health Care Quality did not conduct required annual
inspections of all assisted living facilities and developmental disabilities
service providers.

Analysis
The Office of Health Care Quality (OHCQ) did not inspect each of the assisted
living facilities and developmental disabilities service providers annually as
required by State law. Specifically, as noted in Table 2, OHCQ did not complete
all of the required annual inspections during fiscal years 2016 through 2019.
Similar conditions have been commented upon in MDH audit reports dating back
to 2004.

10
 Table 2
OHCQ Annual Inspections Between Fiscal Years 2016 and 2019
Fiscal Assisted Living Facilities Developmental Disabilities Providers
Year Inspections Percentage Inspections Percentage
Facilities Providers
Conducted Conducted Conducted Conducted
2016 1,531 1,188 78% 218 53 24%
2017 1,580 755 48% 230 91 40%
2018 1,546 788 51% 241 47 20%
2019 1,563 1,108 71% 253 99 39%

State law requires OHCQ to conduct inspections at least annually to ensure

compliance with State and federal regulations regarding patient care and safety.
If deficiencies noted during the inspections are not corrected (for example, failure
to maintain client records in accordance with State regulations), OHCQ may
impose sanctions such as license revocation, fines, or other restrictions on the
operating license. Based on OHCQ records, inspections that are conducted
frequently disclose deficiencies requiring corrective action.

According to OHCQ’s fiscal year 2019 Annual Report and Staffing Analysis
submitted to the General Assembly, insufficient staff has impacted its ability to
meet the annual inspection requirements. In fiscal year 2018, MDH implemented
a seven-year staffing plan to increase the number of OHCQ inspectors. While the
Annual Report indicated that the plan remained on target through fiscal year 2021,
OHCQ advised that it still needed an additional 40 staff to perform the required
number of inspections. In addition, uncertainty regarding the State’s budgetary
outlook due to the ongoing COVID-19 pandemic may further impact the
feasibility of this staffing plan.

Recommendation 2
We recommend that OHCQ, in conjunction with MDH, ensure inspections of
the assisted living facilities and developmental disabilities service providers
are completed as required by law (repeat).

Cash Receipts

Background
According to the State’s records, during fiscal year 2019, collections received by
the 22 HPBCs totaled approximately $49.0 million (see Table 3 on the following
page). These collections, which primarily related to licensing fees, were received

11
by direct mail, in person, by credit card (processed either by HPBC staff or by
third-party vendors), or by a lockbox.

Table 3
Summary of Fiscal Year 2019 Collections
Collection Method
Board or Mail and
Commission Credit Card Walk-in Lockbox Total
Physicians $9,895,499 $0 $2,929,946 $12,825,445
Medical Cannabis 4,291,854 6,069,450 0 10,361,304
Nursing 7,736,954 619,807 0 8,356,761
Pharmacy 1,956,964 0 2,525,494 4,482,458
Dental Examiners 1,716,023 619,464 0 2,335,487
Social Work
Examiners
1,771,325 246,540 0 2,017,865
Professional
Counselors and 894,294 804,311 0 1,698,605
Therapists
Chiropractic
Examiners*
1,150,625 102,908 0 1,253,533
Physical Therapy
Examiners
979,285 89,346 0 1,068,631
Examiners of
Psychologists
593,988 271,823 0 865,811
Morticians 183,000 524,555 0 707,555
Occupational
Therapy Practice
590,575 22,635 0 613,210
Audiologists,
Hearing Aid
Dispensers and 410,054 97,758 0 507,812
Speech-Language
Pathologists
Acupuncture 270,148 87,506 0 357,654
Podiatric Examiners 215,350 116,185 0 331,535
Dietetic Practice 283,354 32,255 0 315,609
Examiners in
Optometry
256,864 33,561 0 290,425
Massage Therapy
Examiners
0 212,955 0 212,955
Kidney Disease 0 185,370 0 185,370
Environmental
Health Specialists
0 113,425 0 113,425
Examiners of
Nursing Home 41,800 17,900 0 59,700
Administrators
Residential Child
Care Administrators
3,350 32,945 0 36,295
Total $33,241,306 $10,300,699 $5,455,440 $48,997,445
Source: State Accounting Records
* Credit card collections listed for Chiropractic Examiners also includes collections for Massage
Therapy Examiners which could not be broken out.

12
Collections received through the direct mail and walk-in were deposited using
remote deposit, a process that scans the images of checks and electronically
transmits those images to the bank for deposit. Collections received at 18 HPBCs
were scanned into the remote deposit system by an employee and electronically
transmitted to the bank for deposit by MDH’s Division of General Accounting
(DGA), and collections for the remaining 2 HPBCs that received mail or walk in
collections were processed by their own remote deposits systems.

Finding 3
Controls over collections directly received at and the deposits made by the
majority of the HPBCs were not adequate, and duties related to cash receipts
and licensing were not properly segregated.

Analysis
Controls over collections and deposits received at the HPBCs were not adequate,
and duties related to cash receipts and licensing were not properly segregated. As
summarized in Table 4, our review of the 22 HPBCs’ procedures and controls
disclosed deficiencies in the following areas among 19 of the HPBCs:

Credit Card Collections

Fourteen HPBCs lacked procedures to verify that all credit card collections
processed by third-party vendors were deposited into the State’s bank account,
including seven HPBCs that also did not verify that credit card collections
were recorded in the State’s accounting records. In addition, the Board of
Nursing did not completely resolve a discrepancy it identified between the
collections processed by its credit card vendor and the amounts recorded in the
State’s accounting records. Specifically, the fiscal year 2019 collections
reported by the vendor ($8.1 million) exceeded the total amount deposited in
the State’s bank account by $386,000. Although the Board had investigated
and resolved other discrepancies totaling approximately $2.5 million, as of
February 2020, it had not resolved the remaining discrepancy.

Segregation of Duties
Seven HPBCs had not properly segregated cash handling duties from the
licensing duties. Specifically, nine employees with access to collections
received at the seven HPBCs had been assigned system user functions that
allowed them the capability to issue or renew licenses, certificates, or permits,
or adjust the related billing records. As a result, collections could be
misappropriated and the related licenses issued without detection. We were
advised by HPBC personnel that the problem was due to limited resources and
it had considered processing these HPBCs’ collections through lockboxes to
eliminate the cash handling duties of the employees with the capability to issue

13
licenses, but determined that it would be cost prohibitive given the amount of
collections received by the individual HPBCs. However, no documentation
was provided to support this assertion. As noted in Finding 7, if the HPBCs
consolidated certain functions, cost efficiencies may be achievable.

Reconciliations of Licenses to Related Collections

Twelve HPBCs did not periodically reconcile the value of licenses issued with
the related collections to ensure that all collections were accounted for and
deposited. Nevertheless, our test of licenses issued by the Board of Nursing
and the Board of Pharmacy did not disclose any licenses that were issued
without a related collection.

14
 Table 4
Finding 3 Summary
Credit Card Cash
Collections Handling
Verified to and Licenses
Verified State Licensing Reconciled
to Accounting Duties to
Board or Commission Deposit Records Segregated Collections
Physicians Yes Yes Yes Yes
Medical Cannabis Yes Yes No Yes
Nursing No No Yes No
Pharmacy No Yes Yes No
Dental Examiners No No No No
Social Work Examiners No Yes Yes Yes
Professional Counselors and
No Yes Yes No
Therapists
Chiropractic Examiners No No Yes No
Physical Therapy Examiners No Yes Yes Yes
Examiners of Psychologists No No Yes No
Morticians Yes Yes Yes No
Occupational Therapy Practice No Yes Yes Yes
Audiologists, Hearing Aid
Dispensers and Speech-Language No No Yes No
Pathologists
Acupuncture Yes Yes No Yes
Podiatric Examiners Yes Yes No Yes
Dietetic Practice Yes Yes Yes Yes
Examiners in Optometry No Yes Yes Yes
Massage Therapy Examiners No No Yes No
Kidney Disease* N/A N/A Yes Yes
Environmental Health Specialists* N/A N/A No No
Examiners of Nursing Home
No No No No
Administrators
Residential Child Care
No No No No
Administrators
Total Exceptions 14 8 7 12
*As noted in Table 3, the Board of Environmental Health Specialists and Commission on
Kidney Disease did not process collections via credit card. Therefore, these attributes are not
applicable.

The failure to verify that credit card collections were deposited and recorded in
the State’s accounting records, and the lack of segregation of cash handling and
licensing duties for a number of HPBCs were commented upon in our preceding
audit report. Furthermore, the lack of reconciliations of licenses issued to the
related collections by certain HPBCs has been commented upon in our audit
reports dating back to 2006.

The Comptroller of Maryland’s Accounting Procedures Manual requires

collections to be independently verified to deposit and recorded in the State’s

15
accounting records. In addition, the Manual requires the separation of cash
handling duties and licensing duties and reconciling the value of licenses to the
related collections.

Recommendation 3
We recommend that the applicable HPBCs
a. perform documented verifications that credit card collections were
deposited and properly recorded in the State’s accounting records
(repeat);
b. continue investigative action to determine whether the aforementioned
$386,000 in unrecorded collections were deposited and properly recorded
in the State’s accounting records;
c. ensure that employees processing collections are denied the system
capability to issue or renew licenses, certificates, or permits, (repeat) or to
update the related billing records;
d. in conjunction with MDH, perform a documented consideration of the
feasibility of using a bank lockbox account to receive collections (repeat);
and
e. periodically reconcile licensing activity with the related collections
(repeat).

Licensing Systems Access

Finding 4
Twenty-one HPBCs did not perform documented system access reviews of
their licensing system to ensure that user access capabilities were adequately
restricted. As a result, numerous users could unilaterally issue or renew
licenses, and current or former employees had unnecessary system access.

Analysis
Twenty-one HPBCs did not perform documented system access reviews of their
licensing systems. We obtained system-generated reports from the 7 licensing
systems used by the 22 HPBCs which identified 147 users with active access.
Our review disclosed that during the audit period 21 of the 22 HPBCs had not
conducted a review of user access to determine whether the access was properly
restricted and necessary for the employee to complete their job. As a result, we
noted the following conditions:

 Sixty-four users at 12 HPBCs (see Table 5) had the ability to unilaterally issue
or renew licenses without independent review and approval. The licensing
system shared and used by 9 HPBCs did not have the ability to establish

16
 online approvals, and no manual approvals of the licenses were performed.
The system used by the remaining 3 HPBCs had the capability to create online
approvals, but the HPBCs did not consistently use this capability or establish
procedures to manually review the related licenses.

 Forty-eight users at 4 HPBCs (see Table 5) could issue or renew licenses even
though this capability was not required to perform their job duties. In
addition, 3 former employees at 3 HPBCs (see Table 5), including one that
could unilaterally issue licenses, had system access even though the
employees had terminated their employment 1 to 12 months earlier. As a
result, these former employees still had access to Personally Identifiable
Information (PII).

17
 Table 5
Finding 4 Summary
Periodic Employees Employees Former
System Able to with Employees
Access Unilaterally Unnecessary with
Board or Commission Review Issue Licenses Capabilities Access
Physicians No - - -
Medical Cannabis No - - -
Nursing No 38 22 -
Pharmacy No 6 16 -
Dental Examiners No 6 9 1
Social Work Examiners No - 1 -
Professional Counselors and Therapists No 6 - -
Chiropractic Examiners* No 2 - -
Physical Therapy Examiners No - - -
Examiners of Psychologists No 1 - -
Morticians No 1 - -
Occupational Therapy Practice No - - -
Audiologists, Hearing Aid Dispensers and - -
No 1
Speech-Language Pathologists
Acupuncture No - - -
Podiatric Examiners No - - -
Dietetic Practice No - - -
Examiners in Optometry No - - -
Massage Therapy Examiners* No 2 - -
Kidney Disease Yes - - -
Environmental Health Specialists No 1 - 1
Examiners of Nursing Home - -
No 1
Administrators
Residential Child Care Administrators No 1 - 1
Total Exceptions 21 64 48 3
Source: Regulatory Services Records
*The Board of Massage Therapy Examiners and the Board of Chiropractic Examiners used the same staff to issue
licenses. The 2 employees who could unilaterally issue licenses for these boards are only included once in the total
(therefore, the total in the Employees Able to Unilaterally Issue Licenses column does not add up).

The State of Maryland Information Technology Security Manual requires

agencies to perform system access reviews at least annually. The Manual also
requires agencies to strictly control and audit the access to confidential
information to support the concept of “least privilege.”

Recommendation 4
We recommend that the HPBCs
a. perform documented periodic access reviews of the licensing systems;
b. establish online or manual controls to prevent users from unilaterally
issuing or renewing licenses, including those noted above; and

18
c. ensure that users are assigned only those capabilities needed to perform
job duties and to eliminate unnecessary access, including those noted
above.

Information Systems Security and Control

Background
Fifteen boards and one commission (Kidney Disease) have licensing systems
maintained by the HPBCs information technology staff on a consolidated
licensing application database system. The remaining five boards (including the
Boards of Physicians, Nursing, and Pharmacy) maintain licensing systems
residing on servers located at each board’s office and principally use application
security to provide system security. Several boards also provide an online license
verification service to the general public and numerous boards offer online license
renewals. Additionally, the Maryland Medical Cannabis Commission uses an
outside service provider system for licensing and registration processing
functions. The Office of Health Care Quality uses a Federal Centers for Medicare
and Medicaid Services’ system for its information system processing
requirements.

Our audit of these systems was primarily limited to the review of select database
system controls of the Board of Physicians and the Board of Nursing. Our audit
also reviewed critical application account and password controls for the Boards of
Pharmacy and Nursing.

Finding 5
Password and account controls for the Board of Nursing and the Board of
Pharmacy were not sufficient to properly protect critical data.

Analysis
Password and account controls for the Board of Nursing and the Board of
Pharmacy were not sufficient to properly protect critical data (such as personally
identifiable information). Specifically, we noted that password and account
controls over critical applications used by the Boards of Nursing and Pharmacy
did not comply with required settings prescribed by either the current State of
Maryland Information Technology Security Manual, or the preceding Information
Security Policy with respect to password age, history, and account lockout. A
similar condition, for the Boards of Nursing and Pharmacy, was commented upon
in our preceding audit report.

19
Given these results from our review of selected systems and the fact that many of
the other boards and commissions maintain sensitive licensee information, we
believe MDH should ensure that all boards and commissions have established
appropriate password and account controls.

Recommendation 5
We recommend that
a. the two Boards implement strong controls over passwords and accounts
for critical applications in accordance with the settings prescribed by the
Information Technology Security Manual (repeat), and
b. MDH determine the extent to which additional application password and
account controls are needed to protect licensee data for the remaining
boards and commissions (repeat).

Procurements

Finding 6
The Board of Dental Examiners did not comply with State procurement
regulations when awarding two sole source contracts totaling $302,000 to a
vendor for a new licensing system.

Analysis
The Board of Dental Examiners did not comply with State procurement
regulations when awarding two sole source contracts totaling $302,000 to a
vendor for a new licensing system. Specifically, our review of the procurement of
licensing systems by four boards from a single vendor which totaled $1.1 million,
disclosed that the Board of Dental Examiners did not prepare written justifications
to support the use of the sole source procurement method for its two contracts
with the vendor. Additionally, the Board did not obtain Department of
Information Technology (DoIT) and Board of Public Works (BPW) approval,
when required. We concluded that the propriety of the sole source method used
was questionable because MDH’s Office of Procurement and Support Services
had previously advised the Board of Dental Examiners that the services could
potentially be provided by other vendors.

State procurement regulations provide that sole source procurements should only
be used when goods or services are available from only a single vendor, and
require that written justifications be prepared and approved prior to the contract
award. In addition, State procurement regulations provide that procurements of
information technology exceeding $100,000 require DoIT approval and contracts

20
over $200,000 require BPW approval. One of the two Board contracts with this
vendor exceeded $200,000.

Recommendation 6
We recommend that the Board of Dental Examiners
a. ensure sole source procurements are adequately justified and use the sole
source procurement method when only a single vendor can meet the
requirements; and
b. submit contracts to DoIT and BPW for review and approval, as required.

Consolidation of Operations

Finding 7 (Policy Issue)

Consolidation of licensing, procurement, and other fiscal operations to
enhance internal controls and maximize efficiencies had not been pursued by
the HPBCs.

Analysis
The HPBCs had not pursued the consolidation of licensing, procurement, and
other fiscal operations such as collection of cash receipts to enhance internal
controls and maximize efficiencies. State law establishes each HPBC as an
independent unit and does not require them to consolidate these functions.
However, in our opinion, consolidating certain functions could help resolve
longstanding internal control deficiencies, including four of the five findings
repeated from our preceding audit report. For example, as noted in Finding 3,
seven HPBCs had not properly segregated cash handling and licensing duties,
which according to the HPBCs was due to limited personnel. We determined that
had their collection functions been consolidated, the current personnel assigned to
those functions for each HPBC could be used to help ensure the appropriate
segregation of duties. Furthermore, we noted that 16 of the HPBCs already have
consolidated their information technology support staff into one shared unit, so
there appears to be precedent for such actions.

Although an area for further study, we believe that consolidating certain

operations could result in efficiencies and cost savings. For example,
consolidating procurements could result in potential volume discounts.
According to State accounting records, during fiscal years 2016 to 2019 all
HPBCs procured services from 62 vendors totaling $10.6 million. Of those
procurements, seven vendors were used by two or more (of five) HPBCs to
procure similar services totaling $1.3 million. Since each of the five HPBCs
procured these contracts independently, they would not have taken advantage of

21
increased competition and potential volume discounts. Additionally, had certain
of the procurements been consolidated, based on increased value, they may have
been subject to enhanced oversight via control agency and/or Board of Public
Works review and approval, which presently is not the case.

A model for such a consolidated organization does exist elsewhere in State

government. For example, the Maryland Department of Labor – Division of
Occupational and Professional Licensing (DOPL) has consolidated the licensing,
collections, and procurement functions of its 25 boards and commissions. In
contrast, the HPBCs have individually procured seven separate licensing systems
in total while DOPL procured a single licensing system that was used by all of its
boards and commissions.

Recommendation 7
We recommend that the HPBCs collectively identify opportunities for
consolidating certain operations to enhance internal controls and maximize
efficiencies and, if deemed practical, develop a formal plan to accomplish
such enhancements.

22
 Audit Scope, Objectives, and Methodology
We have conducted a fiscal compliance audit of Regulatory Services, a unit of the
Maryland Department of Health (MDH), for the period beginning September 28,
2015 and ending September 24, 2019. Regulatory Services consists of 22 Health
Professional Boards and Commissions and the Office of Health Care Quality
(OHCQ). The audit was conducted in accordance with generally accepted
government auditing standards. Those standards require that we plan and perform
the audit to obtain sufficient, appropriate evidence to provide a reasonable basis
for our findings and conclusions based on our audit objectives. We believe that
the evidence obtained provides a reasonable basis for our findings and
conclusions based on our audit objectives.

As prescribed by the State Government Article, Section 2-1221 of the Annotated

Code of Maryland, the objectives of this audit were to examine Regulatory
Services’ financial transactions, records, and internal control, and to evaluate its
compliance with applicable State laws, rules, and regulations.

In planning and conducting our audit, we focused on the major financial-related

areas of operations based on assessments of significance and risk. The areas
addressed by the audit included health professional and facilities licensing, cash
receipts, contracts, and information systems. We also determined the status of the
findings contained in our preceding audit report.

Our assessment of internal controls was based on agency procedures and controls
in place at the time of our fieldwork. Our tests of transactions and other auditing
procedures were generally focused on the transactions occurring during our audit
period of September 28, 2015 to September 24, 2019, but may include
transactions before or after this period as we considered necessary to achieve our
audit objectives.

Our audit did not include certain support services provided to Regulatory Services
by MDH – Office of the Secretary. These support services (such as payroll,
purchasing, maintenance of accounting records, and related fiscal functions) are
included within the scope of our audit of the Office of the Secretary.

To accomplish our audit objectives, our audit procedures included inquiries of

appropriate personnel, inspections of documents and records, tests of transactions
and to the extent practicable, observations of Regulatory Services’ operations.
Generally, transactions were selected for testing based on auditor judgment,
which primarily considers risk. Unless otherwise specifically indicated, neither
statistical nor non-statistical audit sampling was used to select the transactions

23
tested. Therefore, the results of the tests cannot be used to project those results to
the entire population from which the test items were selected.

We also performed various data extracts of pertinent information from the State’s
Financial Management Information System (such as revenue and expenditure
data) and the State’s Central Payroll Bureau (payroll data). The extracts are
performed as part of ongoing internal processes established by the Office of
Legislative Audits and were subject to various tests to determine data reliability.
We determined that the data extracted from these sources were sufficiently
reliable for the purposes the data were used during this audit.

We also extracted data from various agency systems, including the licensing
systems at various HPBCs and the inspection system at OHCQ, for the purpose of
testing whether licenses were properly issued and inspections were performed as
required. We performed various tests of the relevant data and determined that the
data were sufficiently reliable for the purposes the data were used during the
audit. Finally, we performed other auditing procedures that we considered
necessary to achieve our audit objectives. The reliability of data used in this
report for background or informational purposes was not assessed.

Regulatory Services’ management is responsible for establishing and maintaining

effective internal control. Internal control is a process designed to provide
reasonable assurance that objectives pertaining to the reliability of financial
records, effectiveness and efficiency of operations including safeguarding of
assets, and compliance with applicable laws, rules, and regulations are achieved.
As provided in Government Auditing Standards, there are five components of
internal control: control environment, risk assessment, control activities,
information and communication, and monitoring. Each of the five components,
when significant to the audit objectives, and as applicable to Regulatory Services,
were considered by us during the course of this audit.

Because of inherent limitations in internal control, errors or fraud may

nevertheless occur and not be detected. Also, projections of any evaluation of
internal control to future periods are subject to the risk that conditions may
change or compliance with policies and procedures may deteriorate.

Our reports are designed to assist the Maryland General Assembly in exercising
its legislative oversight function and to provide constructive recommendations for
improving State operations. As a result, our reports generally do not address
activities we reviewed that are functioning properly.

24
This report includes findings relating to conditions that we consider to be
significant deficiencies in the design or operation of internal control that could
adversely affect Regulatory Services’ ability to maintain reliable financial
records, operate effectively and efficiently, and/or comply with applicable laws,
rules, and regulations. Our report also includes findings regarding significant
instances of noncompliance with applicable laws, rules, or regulations. Other less
significant findings were communicated to Regulatory Services’ that did not
warrant inclusion in this report.

The response from MDH, on behalf of Regulatory Services, to our findings and
recommendations is included as an appendix to this report. As prescribed in the
State Government Article, Section 2-1224 of the Annotated Code of Maryland,
we will advise MDH regarding the results of our review of its response.

25
 APPENDIX

January 9, 2021

Mr. Gregory A. Hook, CPA

Legislative Auditor
Office of Legislative Audits
State Office Building, Room 1202
301 West Preston Street
Baltimore, MD 21201

Dear Mr. Hook:

Enclosed, please find the responses to the draft audit report on the Maryland Department of
Health – Regulatory Services for the period beginning September 28, 2015 and ending
September 24, 2019.

If you have any questions, please contact Frederick D. Doggett at 410-767-0885 or email at
[email protected].

Sincerely,

Dennis R. Schrader
Acting Secretary

Enclosure

cc: Frederick D. Doggett, Inspector General, MDH

Webster Ye, Assistant Secretary, Health Policy, MDH
Kimberly Link, J.D., Associate Director, Health Workforce, Health Occupations Board
and Commissions
Deneen Toney Acting Assistant Inspector General, MDH
Patricia T. Nay, M.D., Executive Director, Office of Health Care Quality, MDH
Karen E. B. Evans, R.N., Executive Director, State Board of Nursing, MDH
Penny K. Heisler, Executive Director, State Acupuncture Board, MDH
Candace G. Robinson, Executive Director, State Board of Examiners for
Audiologists, Hearing Aid Dispensers, & Speech-Language Pathologists, MDH
Darlene V. Ham, Executive Director, State Board for Certification of Residential Child-
Care Program Professionals, MDH
Christy Collins, Executive Director, State Board of Morticians & Funeral Directors,
MDH
Danielle M. Vallone, Acting Executive Director, State Board of Professional Counselors
& Therapists, MDH
Francis X. McLaughlin, Jr., Executive Director, State Board of Dental Examiners, MDH
Marie M. Savage, Administrator, State Board of Dietetic Practice, MDH
James T. Merrow, Executive Director, State Board of Environmental Health Specialists,
MDH
Eva H. Schwartz, Executive Director, State Commission on Kidney Disease and State
Board of Podiatric Medical Examiners, MDH
Sharon J. Oliver, Executive Director, State Board of Massage Therapy Examiners and
State Board of Chiropractic Examiners, MDH
Ronda Butler Bell, Executive Director, State Board of Examiners of Nursing Home
Administrators, MDH
Lauren C. Murray Honeycutt, Executive Director, State Board of Occupational Therapy
Practice, MDH
Patricia G. Bennett, Executive Director, State Board of Examiners in Optometry, MDH
Deena N. Speights-Napata, Executive Director, State Board of Pharmacy, MDH
Laurie Kendall-Ellis, Executive Director, State Board of Physical Therapy Examiners,
MDH
Christine A. Farrelly, Executive Director, State Board of Physicians, MDH
Lorraine W. Smith, Executive Director, State Board of Examiners of Psychologists,
MDH
Stanley E. Weinstein, Ph.D., Executive Director, State Board of Social Work Examiners,
MDH
William C. Tilburg, J.D., M.P.H., Executive Director, Maryland Medical Cannabis
Commission, MDH

2
 Maryland Department of Health
Regulatory Services

Agency Response Form

Complaint Tracking

Finding 1
The Board of Nursing and the Board of Professional Counselors and Therapists did not
provide sufficient oversight to ensure that complaints against licensees were investigated
timely. Our review disclosed that numerous complaints were not investigated within one
year.

We recommend that the Board of Nursing and Board of Professional Counselors and
Therapists
a. properly monitor complaints (such as by periodically reviewing the tracking logs) and
develop a strategy to ensure the timely disposition of complaints (repeat); and
b. properly maintain the tracking logs and ensure the logs reflect all critical information,
including key dates such as initial receipt (repeat).

Agency Response
Analysis Factually Accurate
Please provide
additional comments as
deemed necessary.

Recommendation 1a Agree Estimated Completion Date: 12/20/2020

Please provide details of Maryland Board of Nursing:
corrective action or
explain disagreement. The MBON -properly monitors complaints and has developed a strategy
to ensure the timely disposition of complaints. The incoming complaints
tracking log was piloted in September 2019 to ensure that initial review
of complaints were forwarded to the triage committee in a timely
manner. The Complaints Manager tracks the complaints tracking log
monthly and addresses any concerns at that time. The Complaints
Manager monitors the complaints and ensures the timely disposition of
complaints. The triage log is dated from the day the Board receives the
complaint to the date of disposition. This will be documented on the
Compliance Audit tool and documents in policy and procedures.

Maryland Board of Counselors:

Page 1 of 20
 Maryland Department of Health
Regulatory Services

Agency Response Form

Agree: Board of Professional Counselors: Estimated Completion

Date: 4/1/2021

Board of Professional Counselors concurs and will properly monitor

complaints (such as by periodically reviewing the tracking logs) and has
developed a strategy to ensure the timely disposition of complaints.
In 2017, the Board created a tracking log for all complaints and
continues to update this log daily. The tracking log will soon be
replaced with a new automated tracking system. The Board anticipates to
have the new tracking system fully operational by spring of 2021. The
Compliance Manager monitors the complaints.
Recommendation 1b Agree Estimated Completion Date: 12/31/2020
Please provide details of Maryland Board of Nursing:
corrective action or
explain disagreement. MBON has properly maintained the tracking logs and ensured the logs
reflect all critical information, including key dates such as initial
receipts. A triage tracking tool was developed in March of 2019. The
Investigators assignment tracking tool and the triage tracking tool were
revised July 23, 2020 to include critical information. The Assistant
Director of Enforcement will monitor the Investigators tracking tool
monthly. The Assistant Director of Enforcement monitors for key dates
and other critical information is not left blank monthly. Each
Investigator is responsible for completing the tracking tool as needed
(will be updated daily). The Assistant Director of Enforcement will
address any concerns noted at the time of the audit and documented on
the Investigation compliant audit log as explained in policy and
procedure.

Maryland Board of Professional Counselors:

Agree: Board of Professional Counselors: Estimated Completion

Date: 4/1/2021

The Board of Professional Counselors concurs. In 2017, the Board

created a tracking log for all complaints and continues to update this log
daily. The tracking log will soon be replaced with automated tracking
system. The Board anticipates that the new tracking system will be fully
operational by Spring 2021. The Compliance Manger will properly
maintain the tracking logs and ensure the logs reflect all critical
information, including key dates such as initial receipts.

Page 2 of 20
 Maryland Department of Health
Regulatory Services

Agency Response Form

Inspections

Finding 2
The Office of Health Care Quality did not conduct required annual inspections of all
assisted living facilities and developmental disabilities service providers.

We recommend that OHCQ, in conjunction with MDH, ensure inspections of the assisted
living facilities and developmental disabilities service providers are completed as required
by law (repeat).

Agency Response
Analysis
Please provide
additional comments as
deemed necessary.

Recommendation 2 Agree Estimated Completion Date: June 30, 2025

Please provide details of The Office of Health Care Quality concurs with the OLA
corrective action or recommendation. On July 1, 2018, SB386 was approved. We are in the
explain disagreement. 4th year of the 7-year staffing plan to adequately staff OHCQ. The
additional staff will allow us to complete more of the mandated survey
activities. The 7-year staffing plan ends with FY24. A completion date
of June 30, 2025, was given to account for the hiring and training of new
staff which can take up to a year.

Page 3 of 20
 Maryland Department of Health
Regulatory Services

Agency Response Form

Cash Receipts

Finding 3
Controls over collections directly received at and the deposits made by the majority of the
HPBCs were not adequate, and duties related to cash receipts and licensing were not
properly segregated.

We recommend that the applicable HPBCs

a. perform documented verifications that credit card collections were deposited and
properly recorded in the State’s accounting records (repeat);
b. continue investigative action to determine whether the aforementioned $386,000 in
unrecorded collections were deposited and properly recorded in the State’s accounting
records;
c. ensure that employees processing collections are denied the system capability to issue or
renew licenses, certificates, or permits, (repeat) or to update the related billing records;
d. in conjunction with MDH, perform a documented consideration of the feasibility of
using a bank lockbox account to receive collections (repeat); and
e. periodically reconcile licensing activity with the related collections (repeat).

Agency Response
Analysis Factually Accurate
Please provide
additional comments
as deemed
necessary.

Recommendation Agree Estimated Completion Date:

02/28/2021
3a
Please provide Maryland Board of Nursing:
details of corrective
action or explain MBON concurs with this finding and recommendation and will perform
disagreement. documented verifications that ensures credit card collections are deposited
and properly recorded in the State’s accounting records. The Board has
created policy and procedures to comply with this finding.

Maryland Board of Physical Therapy Examiners:

Agree: Maryland Board of Physical Therapy Examiners: Estimated

Completion Date: 7/1/2020

Page 4 of 20
 Maryland Department of Health
Regulatory Services

Agency Response Form

MDBPTE has implemented a procedure to reconcile the credit card

merchant daily transactional statement with the State Treasurer’s daily
deposit report, the monthly bank statement and the State monthly statement
of account.

Reconciliation of above-mentioned accounts will ensure that all credit card

payment collections have been accurately accounted for and documentation
of this procedure maintained.
__________________________________________________________
Board of Dental Examiners:

Agree: Board of Dental Examiners: Estimated Completion Date:

12/31/2020

The Dental Board agrees and has made sure that adequate controls are in
place for depositing and that all receipts are properly accounted for. The
Dental board now uses a state approved vendor as the credit card merchant
and routinely reconciles all deposit activities.

Maryland Board of Occupational Therapy Practice:

Agree: Maryland Board of Occupational Therapy Practice: Estimate

Completion Date: 1/30/2021

The Maryland Board of Occupational Therapy will perform documented

verifications to ensure credit card collections are deposited and properly
recorded in the State’s accounting records. In addition, the Maryland Board
of OT will continue to download transaction reports from vendor (and soon
the new payment processing gateway). The Board will keep these reports in
a binder in the office and will reconcile them against the deposit fax and the
Revenue Report.

Board of Pharmacy:

Agree: Maryland Pharmacy: Estimate Completion Date: 2/28/21

Maryland Board of Pharmacy will perform documented verifications that

credit card collections were deposited and properly recorded in the State’s
accounting records.

Boards and Commissions:

Page 5 of 20
 Maryland Department of Health
Regulatory Services

Agency Response Form

Agree: Boards and Commissions: Estimated Completion Date:

08/24/2020

Each Board has established adequate control procedures to ensure that all
credit card transactions are deposited into the State Treasury and credited to
the respective Board.

Recommendation Agree Estimated Completion Date:

3/31/2021
3b
Please provide Maryland Board of Nursing:
details of corrective
action or explain MBON concurs with this finding and recommendation. This issue arose
disagreement. from a change in merchant id numbers (MID) between the Board and the
state Treasurer’s office. Although the MIDs were mixed-up, the funds were
still deposited into the state’s merchant account. As per your
recommendation, the Board will communicate with the treasurer’s office to
investigate further. The Director of Operations will monitor this concern on
a quarterly basis.

Recommendation Agree Estimated Completion Date:

2/15/2020
3c
Please provide Maryland Medical Cannabis Commission:
details of corrective
action or explain MMCC - While this is identified as a “repeat” audit failure, the MMCC
disagreement. only began receiving and processing payments, and licensing entities during
the audit period in question. The MMCC did not receive a previous audit
failure on this issue.

The MMCC clarified its fee collection duties must be segregated from
licensing duties. Beginning February 15, 2020, no employee who receives
or processes checks or money orders has access to licensing software. In
addition, the MMCC will perform quarterly audits to confirm (1) which
employees have access to the licensing software, (2) whether this access is
necessary for their job, and (3) that they do not receive or process
payments.

The employee(s) who accept/process mail, including checks, do not have

access to the licensing software. Likewise, the employees who may print
licenses, which require a physical signature by the Executive Director, do
not accept/process mail, including checks.

Page 6 of 20
 Maryland Department of Health
Regulatory Services

Agency Response Form

The MMCC has also requested and received a check scanner, which will
reduce the number of employees required to accept/process payments.

Board of Dental Examiners:

Agree: Board of Dental Examiners: Estimated Completion Date:

10/30/2020

MSBDE agrees with the findings and has put best practices in place to
assure that no staff members who accept/process mail, including checks, do
not have access to the licensing software and vice versa. Staff who may
print licenses, which require a physical signature by the Board President, do
not accept/process mail, including checks.

Boards and Commissions:

Agree: Boards and Commissions: Estimated Completion Date: 8/24/2020

The Boards will regularly monitor staff access accessibility to ensure that
only authorized staff has access to information that is pertinent to their
duties.

Recommendation Agree Estimated Completion Date:

9/15/2020
3d
Please provide Maryland Medical Cannabis Commission:
details of corrective
action or explain In conjunction with MDH, the MMCC will consider the feasibility of using
disagreement. a bank lockbox account to receive collections. One issue which must be
assessed is whether this would jeopardize federal funds received by other
boards and commissions or units at MDH. The MMCC regulates medical
cannabis, which remains a Schedule I drug under federal law. This means it
is illegal to manufacture, distribute, or possess the drug under federal law.
The federal government has stripped state agencies of grant funding and
other sources of federal funds due to connection with the State’s lawful
medical cannabis program. Therefore, the MMCC is cautious not to
coordinate services with other agencies and units.

Maryland Board of Nursing:

Agree: Maryland Board of Nursing: Estimated Completion Date:

Page 7 of 20
 Maryland Department of Health
Regulatory Services

Agency Response Form

3/31/2021

MBON concurs with this finding and recommendation. The Board has
considered the feasibility of procuring lockbox services on several
occasions – most recently October 2019. It was determined that lockbox
service was not feasible at that time. However, the Board will re-evaluate
the feasibility of lockbox service, per this recommendation. The Board has
emails concerning this matter with our fiscal manager. Fiscally the lockbox
will cause a financial burden to the Board.

Board of Dental Examiners:

Agree: Board of Dental Examiners: Estimated Completion Date:

10/30/2020

MSBDE is currently utilizing the lock box.

Maryland Board of Physical Therapy Examiners:

Agree: Maryland Board of Physical Therapy Examiners: Estimate

Completion Date: 8/1/2020

MBPTE has looked into lockbox services and finds it is not fiscally
responsible to pursue with over 92% of MDBPTE revenue transaction
payments are made with a credit card. Inquiries into the cost of a bank
lockbox found that the setup fee will be over $10,000.00 plus yearly bank
charges which will increase current expenses by over 300%. Plus, there
would be courier service costs to pick up checks mistakenly mailed to
MDBPTE. Fiscally a bank lockbox will cause a financial burden.
Additionally, a bank lockbox will delay the timely processing of licensing
payments which would adversely impact our efficiency and customer
service satisfaction.
In consideration of the fact that MDBPTE is self-funded, the majority of
transactions are through credit cards, and customer service would be
adversely impacted, it is not feasible for MDBPTE to have a bank lockbox.

Boards and Commissions:

Agree: Boards and Commissions: Estimate Completion Date: 8/24/2020

Page 8 of 20
 Maryland Department of Health
Regulatory Services

Agency Response Form

The Board & Commissions has investigated into looking into using a
lockbox and the results are as follow. It is not cost effective for these
Boards to use a lockbox for the following reasons.
• An analysis of lockboxes revealed that lockboxes are extremely
costly (setup fees, monthly fees for each lockbox, and service/transaction
for initial applications, and those that do for each payment processed). I.e.
in FY 19 the Pharmacy Board’s cost was $70,474 and $61,271 in FY 20.
The cost to install and maintain a lockbox can be more than some boards
collect.
• Many Boards currently have an online credit card payment system
for initial applications, and those that do not are scheduled to implement
this system. Currently, all Boards have online renewal payment systems.
• Lockboxes don’t account for other forms of payment received.
Therefore, multiple financial systems would need to be maintained.

Recommendation Agree Estimated Completion Date:

12/31/2021
3e
Please provide Maryland Board of Nursing:
details of corrective
action or explain MBON concurs with this finding and recommendation. However, the
disagreement. limitations of the Board’s licensing system prevent the establishment of a
relationship between licensing activity and revenue. Additionally, the
receipt of payment does not necessarily result in any licensing activity (i.e.
a person who pays for a license does not necessarily receive one). The
Board planned to begin utilizing its licensing system to account for
collections – which would hopefully assist with reconciliations – however,
to date, that plan hasn’t bore any fruit. In the interim, Board staff began
performing quarterly audits, to ensure that payments were received for
every license that was issued or renewed. The Board plans to automate this
process in the future once a determination is made/settled with our current
licensing system.

Board of Dental Examiners:

Agree: Board of Dental Examiners: Estimated Completion Date:

10/30/2020

MSBDE concurs with recommendation therefore has implemented a

process to ensure periodically licensing activity is reconciled to related
collections. The licensing manager reconciles and ensures all fees collected
are accounted for before authorizing the printing of a license.

Page 9 of 20
 Maryland Department of Health
Regulatory Services

Agency Response Form

Board of Morticians and Funeral:

Agree: Board of Morticians and Funeral: Estimated Completion Date:

7/1/2020

The Board has established a process to ensure periodically the Board is

reconciling licensing activity with the related collections. Licensing
Coordinator reconciles money received before printing a license. The
Executive Director will ensure an audit is conducted regularly to validate
monthly deposits and refunds are properly reflected in monthly DAFR
Reports from Fiscal Officer.

Board of Pharmacy:

Agree: Board of Pharmacy: Estimate Completion Date: 2/28/21

Maryland Board of Pharmacy will periodically reconcile licensing activity

with the related collections.
_____________________________________________________________
Boards and Commissions:

Agree: Boards and Commissions: Estimated Completion Date: 8/24/2020

Effective immediately, routine reconciliations are performed between

licensing activities and monetary collections. Also, the Boards l regularly
monitor these procedures to ensure they continue to provide the oversight
that is needed, and only authorized staff have access to information that is
pertinent to their duties.

Licensing Systems Access

Finding 4
Twenty-one HPBCs did not perform documented system access reviews of their licensing
system to ensure that user access capabilities were adequately restricted. As a result,
numerous users could unilaterally issue or renew licenses, and current or former
employees had unnecessary system access.

We recommend that the HPBCs

Page 10 of 20
 Maryland Department of Health
Regulatory Services

Agency Response Form

a. perform documented periodic access reviews of the licensing systems;

b. establish online or manual controls to prevent users from unilaterally issuing or
renewing licenses, including those noted above; and
c. ensure that users are assigned only those capabilities needed to perform job duties and
to eliminate unnecessary access, including those noted above.

Agency Response
Analysis Factually Accurate
Please provide
additional comments as
deemed necessary.

Recommendation 4a Agree Estimated Completion Date: 12/31/2020

Please provide details of Maryland Board of Nursing:
corrective action or
explain disagreement. MBON periodically conducts an access review with the information
technology staff to ensure that access and restrictions are applied to the
appropriate person. The Director of IT performs an audit on IT access
and restrictions on a quarterly basis per policy and procedure.

Maryland Medical Cannabis Commission:

Agree: MMCC - Estimated Completion Date: 7/1/2020

The MMCC has adopted an organizational policy requiring the

Department of Laboratories and Compliance, which oversees licensing
and registration of medical cannabis businesses, to conduct a quarterly
review of the licensing systems to determine whether (1) access to the
licensing system was properly restricted and (2) licensing access was
necessary for the employee to complete their job.

The MMCC has integrated its licensing system with One Stop, the
central hub for Maryland licenses, forms, certificates, permits,
applications, and registrations. The buildout of the MMCC platform on
One Stop will be completed by October 2020. The One Stop portal
allows system managers to review user access. At the MMCC, the
Executive Director, Deputy Director, and IT Director have appropriate
access to changer user permissions. These permissions will be reviewed
by the Department of Laboratories and Compliance every quarter in

Page 11 of 20
 Maryland Department of Health
Regulatory Services

Agency Response Form

order for the Department to make recommendations to the Executive

Director and Deputy Director.

_________________________________________________________
_
Board of Dental Examiners:

Agree: Board of Dental Examiners: Estimated Completion Date:

12/31/2020

MSBDE has acquired a new licensing system and prior to it coming

online, licensing staff revisited the protocols of accessibility and who
performed what function. The new licensing system came online in the
fall and we performed the first periodic review at the end of CY2020.
Policy and procedures will be established to ensure this process is
performed routinely going forward.

Board of Physicians

Agree: Board of Physicians: Estimated Completion Date: 2019

The Board of Physicians performs documented access reviews of its

licensing system.

_________________________________________________________

Maryland Board of Physical Therapy Examiners:

Agree: Maryland Board of Physical Therapy Examiners: Estimated

Completion Date: 7/30/2020

MBPTE conducts documented periodic access reviews of the licensing

system.

Maryland Board of Occupational Therapy Practice:

Agree: Maryland Board of Occupational Therapy Practice:

Estimated Completion Date: 12/31/2020

The Maryland Board of OT continues to restrict issuance and renewal

of licensees and conducts periodic review of the system access as
recommended. The Board of OT has created policy and procedures.

Page 12 of 20
 Maryland Department of Health
Regulatory Services

Agency Response Form

Boards and Commissions:

Agree: Boards and Commissions: Estimated Completion Date:

8/24/2020

The Boards conducts access reviews with the information technology

staff to ensure that access and restrictions are applied to the appropriate
person. Policy and procedures will be established to ensure compliance
at all times.

Recommendation 4b Agree Estimated Completion Date: 12/31/2020

Please provide details of Maryland Board of Nursing:
corrective action or
explain disagreement. MBON has established controls to prevent users from unilaterally
issuing or renewing licenses, including those noted above. MBON
conducts routine access reviews to ensure that access and restrictions
are appropriately applied. The Director of IT performs an audit on IT
access and restrictions on a quarterly basis per policy and procedures.

Board of Dental Examiners:

Agree: Board of Dental Examiners: Estimated Completion Date:

10/30/2020

The Board of Dental Examiners has established controls to prevent

users from unilaterally issuing or renewing licenses, including those
noted above. Each member of the licensing unit has a specific duty in
the licensing process and never independently issues licenses without
all members doing their respective portion of the transaction. This is
monitored closely by the IT department to assure that no improprieties
take place.

Maryland Board of Physical Therapy Examiners:

Agree: Maryland Board of Physical Therapy Examiners: Estimated

Completion Date: 7/30/2020

MBPTE has established controls to prevent users from unilaterally

issuing or renewing licenses, including those noted above. Only
MBPTE staff with the correct licensing system permissions can edit
licensee information or issue/renew a license. There are designated

Page 13 of 20
 Maryland Department of Health
Regulatory Services

Agency Response Form

levels of access (read-only, full access, no access) which enables

independent review of the system (i.e. read-only). IT will be providing a
quarterly system permission review report.

Pre-audit MDBPTE and IT communicated via email on changes related

to staff access and restrictions. These changes were routinely checked
by MDBPTE and IT but not verified through an IT quarterly system
permission review report.

Boards and Commissions:

Agree: Boards and Commissions: Estimated Completion Date:

8/24/2020

Boards and Commissions has established controls to prevent users from

unilaterally issuing or renewing licenses, including those noted above.
Policy and procedures will be established to ensure compliance at all
times.

Recommendation 4c Agree Estimated Completion Date: 12/31/2020

Please provide details of Maryland Board of Nursing:
corrective action or
explain disagreement. MBON ensures that users are assigned only those capabilities needed to
perform job duties and has eliminated all unnecessary access. MBON
has developed procedures and delineating requirements that must exist
to be granted access.
_________________________________________________________
Board of Dental Examiners:

Agree: Board of Dental Examiners: Estimated Completion Date:

12/31/2020

MSBDE ensures that users are assigned only those capabilities needed
to perform job duties and has eliminated all unnecessary access. The
SOP was finalized CY20 identifying who has what accesses and
capabilities in the licensing process.

Maryland Board of Physical Therapy Examiners:

Agree: Maryland Board of Physical Therapy Examiners: Estimated

Completion Date: 7/30/2020

Page 14 of 20
 Maryland Department of Health
Regulatory Services

Agency Response Form

MDBPTE ensures that users are assigned only those capabilities needed
to perform job duties and has eliminated all unnecessary access.
MDBPTE Deputy Directors reviews the IT quarterly system permission
review report and informs the IT department in writing of any changes
required to users’ permissions.

MDBPTE maintains a record of communications with IT when

requesting a change in user’s access and acknowledge receipt of IT
quarterly system permission review reports.

Boards and Commissions:

Agree: Boards and Commissions: Estimated Completion Date:

8/24/2020

Boards and Commissions ensures that users are assigned only those
capabilities needed to perform job duties and has eliminated all
unnecessary access. Written procedures have been developed
delineating requirements that must be met to be granted access.

Page 15 of 20
 Maryland Department of Health
Regulatory Services

Agency Response Form

Information Systems Security and Control

Finding 5
Password and account controls for the Board of Nursing and the Board of Pharmacy were
not sufficient to properly protect critical data.

We recommend that
a. the two Boards implement strong controls over passwords and accounts for critical
applications in accordance with the settings prescribed by the Information Technology
Security Manual (repeat), and
b. MDH determine the extent to which additional application password and account
controls are needed to protect licensee data for the remaining boards and commissions
(repeat).

Agency Response
Analysis Factually Accurate
Please provide
additional comments as
deemed necessary.

Recommendation 5a Agree Estimated Completion Date: 12/31/2021

Please provide details of Board of Nursing:
corrective action or
explain disagreement. MBON has implemented enhanced password requirements to its
licensing application as outlined by the June 2019 release of DoIT’s
Information Technology Security Manual, effective 12-March-2020.
However further updates will be completed by year end to ensure full
compliance.

Compliance will require additional software upgrade and extensive

testing to ensure the proper operation of the licensing application.

While Governor Hogan’s Executive Order is in effect we will NOT

make any changes to the licensing system to avoid any significant down
time during COVID-19 pandemic.

Page 16 of 20
 Maryland Department of Health
Regulatory Services

Agency Response Form

Board of Pharmacy: Estimated Completion Date: 12/8/2019

The Maryland Board of Pharmacy has implemented the password

requirements outlined by the current IT manual.

Recommendation 5b Agree Estimated Completion Date: 07/01/2022

Please provide details of MDH will determine the extent to which additional application password
corrective action or and account controls are needed to protect licensee data for the
explain disagreement. remaining boards and commissions

Procurements

Finding 6
The Board of Dental Examiners did not comply with State procurement regulations when
awarding two sole source contracts totaling $302,000 to a vendor for a new licensing
system.

We recommend that the Board of Dental Examiners

a. ensure sole source procurements are adequately justified and use the sole source
procurement method when only a single vendor can meet the requirements; and
b. submit contracts to DoIT and BPW for review and approval, as required.

Agency Response
Analysis Factually Accurate
Please provide
additional comments as
deemed necessary.

Recommendation 6a Agree Estimated Completion Date: 6/30/2021

Please provide details of The Board Dental agrees and will ensure sole source procurements are
corrective action or adequately justified and use the sole source procurement method when
explain disagreement. only a single vendor can meet the requirements. Will put together a
policy and procedure to provide guidance for use in the future.
Recommendation 6b Agree Estimated Completion Date: 6/30/2021

Page 17 of 20
 Maryland Department of Health
Regulatory Services

Agency Response Form

Please provide details of The Board of Dental Examiners will submit contracts to DoIT and BPW
corrective action or for review and approval, as required. The Board will develop a policy and
explain disagreement. procedure and look into training the Board and staff.

Consolidation of Operations

Finding 7 (Policy Issue)

Consolidation of licensing, procurement, and other fiscal operations to enhance internal
controls and maximize efficiencies had not been pursued by the HPBCs.

We recommend that the HPBCs collectively identify opportunities for consolidating certain
operations to enhance internal controls and maximize efficiencies and, if deemed practical,
develop a formal plan to accomplish such enhancements.

Agency Response
Analysis Factually Accurate
Please provide
additional comments as
deemed necessary.

Recommendation 7 Agree Estimated Completion Date: 10/1/2020

Page 18 of 20
 Maryland Department of Health
Regulatory Services

Agency Response Form

Please provide details of Maryland Medical Cannabis Commission:

corrective action or
explain disagreement. The MMCC is consolidating licensing operations by migrating its
licensing and registration operations to Maryland OneStop, which
houses licensing services for more than one dozen state agencies and
commissions.

Board of Physicians:

Agree: Board of Physicians: Estimated Completion Date: 1/31/2022

During the audit period, the Boards collaborated on an enterprise

licensing system and met monthly to discuss common issues.
Additionally, the Boards share numerous services and consolidate
whenever possible. The Board of Physicians continuously works toward
enhancing internal controls and maximizing efficiencies. The Board
uses State-approved vendors when possible, but it does have unique
needs such as physician peer review. The Board of Physicians has
concerns about a “consolidated” approach because it already pays a
larger, disproportionate, and inequitable amount of shared costs and
costs related to other Boards. This in turn results in higher licensure fees
for its licensees.

The Board of Physicians has its own IT and Fiscal Units. The Board
owns its IT system outright. The Board’s IT system was created to meet
the needs of the Board and continues to be modified in response to
operational changes. Further, the Board of Physicians already pays a
larger, inequitable amount of shared costs and costs related to other
Boards which results in higher fees for our licensees.

Boards and Commissions:

Agree: Boards and Commissions: Estimated Completion Date:

1/31/2022

The Boards (Board of Nursing, Dental Board, Board of Pharmacy and

Board of Occupational Therapy) will continue to investigate the
practicality and cost-effectiveness of centralizing certain fiscal
functions. Additionally, the Boards will reexamine their already uniform
fiscal guidelines and policies and look at feasible ways to refine them.
As it relates to licensing functions since the last audit, eight of the

Page 19 of 20
 Maryland Department of Health
Regulatory Services

Agency Response Form

boards have merged onto the same automatic licensing system, and the
remaining boards are scheduled to join. The Boards follow the state’s
policies relating to procurement procedures and will continue to do so.

Page 20 of 20
 AUDIT TEAM
Edward A. Rubenstein, CPA
Audit Manager

Richard L. Carter, CISA

Edwin L. Paul, CPA, CISA
Information Systems Audit Managers

Menachem Katz, CPA

Senior Auditor

J. Gregory Busch, CISA

Information Systems Senior Auditor

Ashley M. Darby
Paul A. McGrew
Daniel P. Nuccio, CPA, CFE
Dianne P. Ramirez
Staff Auditors