Professional Documents
Culture Documents
Reg Services 21
Reg Services 21
January 2021
To Report Fraud
The Office of Legislative Audits operates a Fraud Hotline to report fraud, waste, or abuse involving State
of Maryland government resources. Reports of fraud, waste, or abuse may be communicated anonymously
by a toll-free call to 1-877-FRAUD-11, by mail to the Fraud Hotline, c/o Office of Legislative Audits, or
through the Office’s website.
Nondiscrimination Statement
The Department of Legislative Services does not discriminate on the basis of age, ancestry, color, creed,
marital status, national origin, race, religion, gender, gender identity, sexual orientation, or disability in the
admission or access to its programs, services, or activities. The Department’s Information Officer has been
designated to coordinate compliance with the nondiscrimination requirements contained in Section 35.107
of the United States Department of Justice Regulations. Requests for assistance should be directed to the
Information Officer at 410-946-5400 or 410-970-5400.
January 19, 2021
Senator Clarence K. Lam, M.D., Senate Chair, Joint Audit and Evaluation Committee
Delegate Carol L. Krimm, House Chair, Joint Audit and Evaluation Committee
Members of Joint Audit and Evaluation Committee
Annapolis, Maryland
Our audit disclosed issues with the monitoring of certain licensees. Specifically,
the Board of Nursing and Board of Professional Counselors and Therapists did
not provide sufficient oversight of complaint investigations against licensees. As
a result, numerous complaints received by the Boards were not investigated in a
timely manner. For example, the Board of Nursing received 8,238 complaints
during our audit period. We noted that 3,272 of these complaints were still under
investigation as of March 2020, including 2,790 complaints for which there had
been an open investigation for more than one year. The timely investigation and
resolution of complaints is critical since licensees continue to practice until
investigations are completed and any actions deemed necessary are taken.
Additionally, as noted in MDH audit reports dating back to 2004, OHCQ had not
performed annual inspections for a number of licensed assisted living facilities
and developmental disabilities service providers.
Certain HPBCs had not established adequate controls over cash receipts. For
example, for 7 HPBCs, employees who were responsible for handling collections
also had access to the licensing systems, which gave them the capability to issue
or renew the related licenses. These functions should be separated to ensure
collections are properly controlled. Our audit also disclosed that 21 HPBCs did
not ensure user access capabilities in their respective licensing systems were
properly restricted. For example, 63 employees at 12 HPBCs could unilaterally
issue or renew a license. Our audit also disclosed that certain controls over the
licensing systems used by two HPBCs were not sufficient to protect critical
licensee data.
Furthermore, we noted that the Board of Dental Examiners did not prepare written
justifications to support the sole source procurement of two contracts or obtain
Department of Information Technology (DoIT) and BPW approval for the
contracts, as required.
Finally, we believe that certain of our findings could be the result of insufficient
individual board resources. Consequently, although this may be an area for
further study, we noted opportunities for consolidating licensing, procurement,
and other fiscal functions of the HPBCs. Although this course of action is not
required by any statute or regulation, we believe that consolidating these
processes would allow the HPBCs to resolve certain internal control deficiencies
commented upon in this report. In addition, consolidation could increase
efficiencies and achieve unspecified cost savings. For example, consolidating
procurements to leverage the HPBCs collective purchasing power could result in
enhanced competition and potential volume discounts.
Our audit included a review to determine the status of the eight findings
contained in our preceding Regulatory Services audit report. We determined
that Regulatory Services satisfactorily addressed three of these findings. The
remaining five findings are repeated in this report, two of which are combined
and presented as one finding.
2
Services’ willingness to address the audit issues and implement appropriate
corrective actions.
Respectfully submitted,
3
4
Table of Contents
Background Information 7
Agency Responsibilities 7
Organizational Change 7
Status of Findings From Preceding Audit Report 7
Complaint Tracking
* Finding 1 – The Board of Nursing and the Board of Professional 9
Counselors and Therapists did not provide sufficient oversight to
ensure that complaints against licensees were timely investigated.
Our review disclosed that numerous complaints were not investigated
within one year.
Inspections
* Finding 2 – The Office of Health Care Quality did not conduct required 10
annual inspections of all assisted living facilities and developmental
disabilities service providers as required.
Cash Receipts
* Finding 3 – Controls over collections and deposits received at the Health 13
Professional Boards and Commissions (HPBCs) were not adequate,
and duties related to cash receipts and licensing were not properly
segregated.
5
Procurements
Finding 6 – The Board of Dental Examiners did not comply with State 20
procurement regulations when awarding two sole source contracts
totaling $302,000 to a vendor for a new licensing system.
Consolidation of Operations
Finding 7 (Policy Issue) – Consolidation of licensing, procurement, 21
and other fiscal operations to enhance internal controls and
maximize efficiencies had not been pursued by the HPBCs.
6
Background Information
Agency Responsibilities
Organizational Change
Chapter 739, Laws of Maryland 2016, effective October 1, 2016, separated the
Board of Chiropractic and Massage Therapy Examiners into the Board of
Chiropractic Examiners and the Board of Massage Therapy Examiners. This law
also eliminated the special, non-lapsing fund previously shared by the two boards
by establishing the State Board of Chiropractic Examiners Fund and the State
Board of Massage Therapy Examiners Fund.
Our audit included a review to determine the status of the eight findings contained
in our preceding audit report dated April 26, 2017. As disclosed in Table 1
below, we determined that Regulatory Services satisfactorily addressed three of
these findings. The remaining five findings are repeated in this report, two of
which were combined and presented as one finding in this report.
7
Table 1
Status of Preceding Findings
Preceding Implementation
Finding Description
Finding Status
The Board of Professional Counselors and Therapists
did not properly track complaints against licensees,
Repeated
Finding 1 resulting in complaints not being investigated and
(Current Finding 1)
submitted to the Office of the Attorney General in a
timely manner.
The Board of Nursing did not always take timely
action to suspend the licenses of delinquent
Finding 2 Not repeated
noncustodial parents referred by the Child Support
Administration as required by State law.
The Office of Health Care Quality did not conduct
Repeated
Finding 3 annual inspections of certain health care facilities as
(Current Finding 2)
required.
The Maryland Medical Cannabis Commission
improperly used interagency agreements with a State
Finding 4 Not repeated
university to procure license application evaluation
services.
Certain boards did not adequately control and account Repeated
Finding 5
for collections. (Current Finding 3)
Seventeen boards and commissions did not ensure
Repeated
Finding 6 that employees handling collections were denied the
(Current Finding 3)
capability to issue or renew licenses.
The Board of Physicians did not adequately monitor a
Finding 7 rehabilitation services vendor and did not always Not repeated
obtain documentation to support amounts invoiced.
Password and account controls for the Boards of
Repeated
Finding 8 Nursing, Physicians, and Pharmacy were not
(Current Finding 5)
sufficient to properly protect critical data.
8
Findings and Recommendations
Complaint Tracking
Finding 1
The Board of Nursing and the Board of Professional Counselors and
Therapists did not provide sufficient oversight to ensure that complaints
against licensees were investigated timely. Our review disclosed that
numerous complaints were not investigated within one year.
Analysis
Our review of the complaint tracking procedures for 2 of the 22 Health
Professional Boards and Commissions (HPBCs), the Board of Nursing and the
Board of Professional Counselors and Therapists, disclosed that neither Board
provided sufficient oversight to ensure that complaints against licensees were
investigated timely. Our audit disclosed a significant number of complaints
received by these Boards that were still under investigation more than one year
after the complaints were received.
The Board of Nursing did not periodically review logs to ensure that
investigations were conducted timely. In addition, while cases were tracked in
separate logs maintained by three Board investigative staff, we noted that each log
did not include all critical information. For example, the logs for two of the
investigators lacked the date that the Board received the complaint and therefore,
the Board could not readily determine the timeliness of the investigation.
According to its licensing system, which contained certain information regarding
complaints but was not used to track the status of the related investigations, the
Board of Nursing received 8,238 complaints during the period from September
2015 to September 2019. As of March 2020, 3,272 of these complaints were still
under investigation or not yet investigated. Our review of these 3,272 complaints
disclosed that 2,790 had been open for more than one year, including 151
complaints received during calendar year 2015.
For the Board of Professional Counselors and Therapists, while we were advised
that the Board periodically reviewed its complaint log, this review was not
effective since the log was not completed for certain investigations. Specifically,
our review of the 225 complaints recorded in the log during the period from April
2017 to June 2019 disclosed 44 complaints that had been open for more than one
year and for which the log was not updated to reflect the current status of the
investigations. For example, the date the case was assigned to an investigator had
not been recorded for 30 of these 44 complaints. A similar condition regarding
the Board of Professional Counselors and Therapists not properly monitoring
9
complaints and maintaining a tracking log that did not include all critical
information was commented upon in our preceding audit report.
In accordance with State law, the Secretary of MDH had developed guidelines
with timeliness goals for complaint resolution by the HPBCs. The guidelines
established a goal of 3 to 12 months for the completion of a complaint
investigation and a determination to bring charges with the Office of the Attorney
General (OAG), with the specific goal for the Board Nursing being 270 days.
Adequate tracking and timely resolution of complaints is critical since licensed
individuals continue to practice until the OAG takes action.
Recommendation 1
We recommend that the Board of Nursing and Board of Professional
Counselors and Therapists
a. properly monitor complaints (such as by periodically reviewing the
tracking logs) and develop a strategy to ensure the timely disposition of
complaints (repeat); and
b. properly maintain the tracking logs and ensure the logs reflect all critical
information, including key dates such as initial receipt (repeat).
Inspections
Finding 2
The Office of Health Care Quality did not conduct required annual
inspections of all assisted living facilities and developmental disabilities
service providers.
Analysis
The Office of Health Care Quality (OHCQ) did not inspect each of the assisted
living facilities and developmental disabilities service providers annually as
required by State law. Specifically, as noted in Table 2, OHCQ did not complete
all of the required annual inspections during fiscal years 2016 through 2019.
Similar conditions have been commented upon in MDH audit reports dating back
to 2004.
10
Table 2
OHCQ Annual Inspections Between Fiscal Years 2016 and 2019
Fiscal Assisted Living Facilities Developmental Disabilities Providers
Year Inspections Percentage Inspections Percentage
Facilities Providers
Conducted Conducted Conducted Conducted
2016 1,531 1,188 78% 218 53 24%
2017 1,580 755 48% 230 91 40%
2018 1,546 788 51% 241 47 20%
2019 1,563 1,108 71% 253 99 39%
According to OHCQ’s fiscal year 2019 Annual Report and Staffing Analysis
submitted to the General Assembly, insufficient staff has impacted its ability to
meet the annual inspection requirements. In fiscal year 2018, MDH implemented
a seven-year staffing plan to increase the number of OHCQ inspectors. While the
Annual Report indicated that the plan remained on target through fiscal year 2021,
OHCQ advised that it still needed an additional 40 staff to perform the required
number of inspections. In addition, uncertainty regarding the State’s budgetary
outlook due to the ongoing COVID-19 pandemic may further impact the
feasibility of this staffing plan.
Recommendation 2
We recommend that OHCQ, in conjunction with MDH, ensure inspections of
the assisted living facilities and developmental disabilities service providers
are completed as required by law (repeat).
Cash Receipts
Background
According to the State’s records, during fiscal year 2019, collections received by
the 22 HPBCs totaled approximately $49.0 million (see Table 3 on the following
page). These collections, which primarily related to licensing fees, were received
11
by direct mail, in person, by credit card (processed either by HPBC staff or by
third-party vendors), or by a lockbox.
Table 3
Summary of Fiscal Year 2019 Collections
Collection Method
Board or Mail and
Commission Credit Card Walk-in Lockbox Total
Physicians $9,895,499 $0 $2,929,946 $12,825,445
Medical Cannabis 4,291,854 6,069,450 0 10,361,304
Nursing 7,736,954 619,807 0 8,356,761
Pharmacy 1,956,964 0 2,525,494 4,482,458
Dental Examiners 1,716,023 619,464 0 2,335,487
Social Work
Examiners
1,771,325 246,540 0 2,017,865
Professional
Counselors and 894,294 804,311 0 1,698,605
Therapists
Chiropractic
Examiners*
1,150,625 102,908 0 1,253,533
Physical Therapy
Examiners
979,285 89,346 0 1,068,631
Examiners of
Psychologists
593,988 271,823 0 865,811
Morticians 183,000 524,555 0 707,555
Occupational
Therapy Practice
590,575 22,635 0 613,210
Audiologists,
Hearing Aid
Dispensers and 410,054 97,758 0 507,812
Speech-Language
Pathologists
Acupuncture 270,148 87,506 0 357,654
Podiatric Examiners 215,350 116,185 0 331,535
Dietetic Practice 283,354 32,255 0 315,609
Examiners in
Optometry
256,864 33,561 0 290,425
Massage Therapy
Examiners
0 212,955 0 212,955
Kidney Disease 0 185,370 0 185,370
Environmental
Health Specialists
0 113,425 0 113,425
Examiners of
Nursing Home 41,800 17,900 0 59,700
Administrators
Residential Child
Care Administrators
3,350 32,945 0 36,295
Total $33,241,306 $10,300,699 $5,455,440 $48,997,445
Source: State Accounting Records
* Credit card collections listed for Chiropractic Examiners also includes collections for Massage
Therapy Examiners which could not be broken out.
12
Collections received through the direct mail and walk-in were deposited using
remote deposit, a process that scans the images of checks and electronically
transmits those images to the bank for deposit. Collections received at 18 HPBCs
were scanned into the remote deposit system by an employee and electronically
transmitted to the bank for deposit by MDH’s Division of General Accounting
(DGA), and collections for the remaining 2 HPBCs that received mail or walk in
collections were processed by their own remote deposits systems.
Finding 3
Controls over collections directly received at and the deposits made by the
majority of the HPBCs were not adequate, and duties related to cash receipts
and licensing were not properly segregated.
Analysis
Controls over collections and deposits received at the HPBCs were not adequate,
and duties related to cash receipts and licensing were not properly segregated. As
summarized in Table 4, our review of the 22 HPBCs’ procedures and controls
disclosed deficiencies in the following areas among 19 of the HPBCs:
Segregation of Duties
Seven HPBCs had not properly segregated cash handling duties from the
licensing duties. Specifically, nine employees with access to collections
received at the seven HPBCs had been assigned system user functions that
allowed them the capability to issue or renew licenses, certificates, or permits,
or adjust the related billing records. As a result, collections could be
misappropriated and the related licenses issued without detection. We were
advised by HPBC personnel that the problem was due to limited resources and
it had considered processing these HPBCs’ collections through lockboxes to
eliminate the cash handling duties of the employees with the capability to issue
13
licenses, but determined that it would be cost prohibitive given the amount of
collections received by the individual HPBCs. However, no documentation
was provided to support this assertion. As noted in Finding 7, if the HPBCs
consolidated certain functions, cost efficiencies may be achievable.
14
Table 4
Finding 3 Summary
Credit Card Cash
Collections Handling
Verified to and Licenses
Verified State Licensing Reconciled
to Accounting Duties to
Board or Commission Deposit Records Segregated Collections
Physicians Yes Yes Yes Yes
Medical Cannabis Yes Yes No Yes
Nursing No No Yes No
Pharmacy No Yes Yes No
Dental Examiners No No No No
Social Work Examiners No Yes Yes Yes
Professional Counselors and
No Yes Yes No
Therapists
Chiropractic Examiners No No Yes No
Physical Therapy Examiners No Yes Yes Yes
Examiners of Psychologists No No Yes No
Morticians Yes Yes Yes No
Occupational Therapy Practice No Yes Yes Yes
Audiologists, Hearing Aid
Dispensers and Speech-Language No No Yes No
Pathologists
Acupuncture Yes Yes No Yes
Podiatric Examiners Yes Yes No Yes
Dietetic Practice Yes Yes Yes Yes
Examiners in Optometry No Yes Yes Yes
Massage Therapy Examiners No No Yes No
Kidney Disease* N/A N/A Yes Yes
Environmental Health Specialists* N/A N/A No No
Examiners of Nursing Home
No No No No
Administrators
Residential Child Care
No No No No
Administrators
Total Exceptions 14 8 7 12
*As noted in Table 3, the Board of Environmental Health Specialists and Commission on
Kidney Disease did not process collections via credit card. Therefore, these attributes are not
applicable.
The failure to verify that credit card collections were deposited and recorded in
the State’s accounting records, and the lack of segregation of cash handling and
licensing duties for a number of HPBCs were commented upon in our preceding
audit report. Furthermore, the lack of reconciliations of licenses issued to the
related collections by certain HPBCs has been commented upon in our audit
reports dating back to 2006.
15
accounting records. In addition, the Manual requires the separation of cash
handling duties and licensing duties and reconciling the value of licenses to the
related collections.
Recommendation 3
We recommend that the applicable HPBCs
a. perform documented verifications that credit card collections were
deposited and properly recorded in the State’s accounting records
(repeat);
b. continue investigative action to determine whether the aforementioned
$386,000 in unrecorded collections were deposited and properly recorded
in the State’s accounting records;
c. ensure that employees processing collections are denied the system
capability to issue or renew licenses, certificates, or permits, (repeat) or to
update the related billing records;
d. in conjunction with MDH, perform a documented consideration of the
feasibility of using a bank lockbox account to receive collections (repeat);
and
e. periodically reconcile licensing activity with the related collections
(repeat).
Finding 4
Twenty-one HPBCs did not perform documented system access reviews of
their licensing system to ensure that user access capabilities were adequately
restricted. As a result, numerous users could unilaterally issue or renew
licenses, and current or former employees had unnecessary system access.
Analysis
Twenty-one HPBCs did not perform documented system access reviews of their
licensing systems. We obtained system-generated reports from the 7 licensing
systems used by the 22 HPBCs which identified 147 users with active access.
Our review disclosed that during the audit period 21 of the 22 HPBCs had not
conducted a review of user access to determine whether the access was properly
restricted and necessary for the employee to complete their job. As a result, we
noted the following conditions:
Sixty-four users at 12 HPBCs (see Table 5) had the ability to unilaterally issue
or renew licenses without independent review and approval. The licensing
system shared and used by 9 HPBCs did not have the ability to establish
16
online approvals, and no manual approvals of the licenses were performed.
The system used by the remaining 3 HPBCs had the capability to create online
approvals, but the HPBCs did not consistently use this capability or establish
procedures to manually review the related licenses.
Forty-eight users at 4 HPBCs (see Table 5) could issue or renew licenses even
though this capability was not required to perform their job duties. In
addition, 3 former employees at 3 HPBCs (see Table 5), including one that
could unilaterally issue licenses, had system access even though the
employees had terminated their employment 1 to 12 months earlier. As a
result, these former employees still had access to Personally Identifiable
Information (PII).
17
Table 5
Finding 4 Summary
Periodic Employees Employees Former
System Able to with Employees
Access Unilaterally Unnecessary with
Board or Commission Review Issue Licenses Capabilities Access
Physicians No - - -
Medical Cannabis No - - -
Nursing No 38 22 -
Pharmacy No 6 16 -
Dental Examiners No 6 9 1
Social Work Examiners No - 1 -
Professional Counselors and Therapists No 6 - -
Chiropractic Examiners* No 2 - -
Physical Therapy Examiners No - - -
Examiners of Psychologists No 1 - -
Morticians No 1 - -
Occupational Therapy Practice No - - -
Audiologists, Hearing Aid Dispensers and - -
No 1
Speech-Language Pathologists
Acupuncture No - - -
Podiatric Examiners No - - -
Dietetic Practice No - - -
Examiners in Optometry No - - -
Massage Therapy Examiners* No 2 - -
Kidney Disease Yes - - -
Environmental Health Specialists No 1 - 1
Examiners of Nursing Home - -
No 1
Administrators
Residential Child Care Administrators No 1 - 1
Total Exceptions 21 64 48 3
Source: Regulatory Services Records
*The Board of Massage Therapy Examiners and the Board of Chiropractic Examiners used the same staff to issue
licenses. The 2 employees who could unilaterally issue licenses for these boards are only included once in the total
(therefore, the total in the Employees Able to Unilaterally Issue Licenses column does not add up).
Recommendation 4
We recommend that the HPBCs
a. perform documented periodic access reviews of the licensing systems;
b. establish online or manual controls to prevent users from unilaterally
issuing or renewing licenses, including those noted above; and
18
c. ensure that users are assigned only those capabilities needed to perform
job duties and to eliminate unnecessary access, including those noted
above.
Background
Fifteen boards and one commission (Kidney Disease) have licensing systems
maintained by the HPBCs information technology staff on a consolidated
licensing application database system. The remaining five boards (including the
Boards of Physicians, Nursing, and Pharmacy) maintain licensing systems
residing on servers located at each board’s office and principally use application
security to provide system security. Several boards also provide an online license
verification service to the general public and numerous boards offer online license
renewals. Additionally, the Maryland Medical Cannabis Commission uses an
outside service provider system for licensing and registration processing
functions. The Office of Health Care Quality uses a Federal Centers for Medicare
and Medicaid Services’ system for its information system processing
requirements.
Our audit of these systems was primarily limited to the review of select database
system controls of the Board of Physicians and the Board of Nursing. Our audit
also reviewed critical application account and password controls for the Boards of
Pharmacy and Nursing.
Finding 5
Password and account controls for the Board of Nursing and the Board of
Pharmacy were not sufficient to properly protect critical data.
Analysis
Password and account controls for the Board of Nursing and the Board of
Pharmacy were not sufficient to properly protect critical data (such as personally
identifiable information). Specifically, we noted that password and account
controls over critical applications used by the Boards of Nursing and Pharmacy
did not comply with required settings prescribed by either the current State of
Maryland Information Technology Security Manual, or the preceding Information
Security Policy with respect to password age, history, and account lockout. A
similar condition, for the Boards of Nursing and Pharmacy, was commented upon
in our preceding audit report.
19
Given these results from our review of selected systems and the fact that many of
the other boards and commissions maintain sensitive licensee information, we
believe MDH should ensure that all boards and commissions have established
appropriate password and account controls.
Recommendation 5
We recommend that
a. the two Boards implement strong controls over passwords and accounts
for critical applications in accordance with the settings prescribed by the
Information Technology Security Manual (repeat), and
b. MDH determine the extent to which additional application password and
account controls are needed to protect licensee data for the remaining
boards and commissions (repeat).
Procurements
Finding 6
The Board of Dental Examiners did not comply with State procurement
regulations when awarding two sole source contracts totaling $302,000 to a
vendor for a new licensing system.
Analysis
The Board of Dental Examiners did not comply with State procurement
regulations when awarding two sole source contracts totaling $302,000 to a
vendor for a new licensing system. Specifically, our review of the procurement of
licensing systems by four boards from a single vendor which totaled $1.1 million,
disclosed that the Board of Dental Examiners did not prepare written justifications
to support the use of the sole source procurement method for its two contracts
with the vendor. Additionally, the Board did not obtain Department of
Information Technology (DoIT) and Board of Public Works (BPW) approval,
when required. We concluded that the propriety of the sole source method used
was questionable because MDH’s Office of Procurement and Support Services
had previously advised the Board of Dental Examiners that the services could
potentially be provided by other vendors.
State procurement regulations provide that sole source procurements should only
be used when goods or services are available from only a single vendor, and
require that written justifications be prepared and approved prior to the contract
award. In addition, State procurement regulations provide that procurements of
information technology exceeding $100,000 require DoIT approval and contracts
20
over $200,000 require BPW approval. One of the two Board contracts with this
vendor exceeded $200,000.
Recommendation 6
We recommend that the Board of Dental Examiners
a. ensure sole source procurements are adequately justified and use the sole
source procurement method when only a single vendor can meet the
requirements; and
b. submit contracts to DoIT and BPW for review and approval, as required.
Consolidation of Operations
Analysis
The HPBCs had not pursued the consolidation of licensing, procurement, and
other fiscal operations such as collection of cash receipts to enhance internal
controls and maximize efficiencies. State law establishes each HPBC as an
independent unit and does not require them to consolidate these functions.
However, in our opinion, consolidating certain functions could help resolve
longstanding internal control deficiencies, including four of the five findings
repeated from our preceding audit report. For example, as noted in Finding 3,
seven HPBCs had not properly segregated cash handling and licensing duties,
which according to the HPBCs was due to limited personnel. We determined that
had their collection functions been consolidated, the current personnel assigned to
those functions for each HPBC could be used to help ensure the appropriate
segregation of duties. Furthermore, we noted that 16 of the HPBCs already have
consolidated their information technology support staff into one shared unit, so
there appears to be precedent for such actions.
21
increased competition and potential volume discounts. Additionally, had certain
of the procurements been consolidated, based on increased value, they may have
been subject to enhanced oversight via control agency and/or Board of Public
Works review and approval, which presently is not the case.
Recommendation 7
We recommend that the HPBCs collectively identify opportunities for
consolidating certain operations to enhance internal controls and maximize
efficiencies and, if deemed practical, develop a formal plan to accomplish
such enhancements.
22
Audit Scope, Objectives, and Methodology
We have conducted a fiscal compliance audit of Regulatory Services, a unit of the
Maryland Department of Health (MDH), for the period beginning September 28,
2015 and ending September 24, 2019. Regulatory Services consists of 22 Health
Professional Boards and Commissions and the Office of Health Care Quality
(OHCQ). The audit was conducted in accordance with generally accepted
government auditing standards. Those standards require that we plan and perform
the audit to obtain sufficient, appropriate evidence to provide a reasonable basis
for our findings and conclusions based on our audit objectives. We believe that
the evidence obtained provides a reasonable basis for our findings and
conclusions based on our audit objectives.
Our assessment of internal controls was based on agency procedures and controls
in place at the time of our fieldwork. Our tests of transactions and other auditing
procedures were generally focused on the transactions occurring during our audit
period of September 28, 2015 to September 24, 2019, but may include
transactions before or after this period as we considered necessary to achieve our
audit objectives.
Our audit did not include certain support services provided to Regulatory Services
by MDH – Office of the Secretary. These support services (such as payroll,
purchasing, maintenance of accounting records, and related fiscal functions) are
included within the scope of our audit of the Office of the Secretary.
23
tested. Therefore, the results of the tests cannot be used to project those results to
the entire population from which the test items were selected.
We also performed various data extracts of pertinent information from the State’s
Financial Management Information System (such as revenue and expenditure
data) and the State’s Central Payroll Bureau (payroll data). The extracts are
performed as part of ongoing internal processes established by the Office of
Legislative Audits and were subject to various tests to determine data reliability.
We determined that the data extracted from these sources were sufficiently
reliable for the purposes the data were used during this audit.
We also extracted data from various agency systems, including the licensing
systems at various HPBCs and the inspection system at OHCQ, for the purpose of
testing whether licenses were properly issued and inspections were performed as
required. We performed various tests of the relevant data and determined that the
data were sufficiently reliable for the purposes the data were used during the
audit. Finally, we performed other auditing procedures that we considered
necessary to achieve our audit objectives. The reliability of data used in this
report for background or informational purposes was not assessed.
Our reports are designed to assist the Maryland General Assembly in exercising
its legislative oversight function and to provide constructive recommendations for
improving State operations. As a result, our reports generally do not address
activities we reviewed that are functioning properly.
24
This report includes findings relating to conditions that we consider to be
significant deficiencies in the design or operation of internal control that could
adversely affect Regulatory Services’ ability to maintain reliable financial
records, operate effectively and efficiently, and/or comply with applicable laws,
rules, and regulations. Our report also includes findings regarding significant
instances of noncompliance with applicable laws, rules, or regulations. Other less
significant findings were communicated to Regulatory Services’ that did not
warrant inclusion in this report.
The response from MDH, on behalf of Regulatory Services, to our findings and
recommendations is included as an appendix to this report. As prescribed in the
State Government Article, Section 2-1224 of the Annotated Code of Maryland,
we will advise MDH regarding the results of our review of its response.
25
APPENDIX
January 9, 2021
Enclosed, please find the responses to the draft audit report on the Maryland Department of
Health – Regulatory Services for the period beginning September 28, 2015 and ending
September 24, 2019.
If you have any questions, please contact Frederick D. Doggett at 410-767-0885 or email at
[email protected].
Sincerely,
Dennis R. Schrader
Acting Secretary
Enclosure
2
Maryland Department of Health
Regulatory Services
Complaint Tracking
Finding 1
The Board of Nursing and the Board of Professional Counselors and Therapists did not
provide sufficient oversight to ensure that complaints against licensees were investigated
timely. Our review disclosed that numerous complaints were not investigated within one
year.
We recommend that the Board of Nursing and Board of Professional Counselors and
Therapists
a. properly monitor complaints (such as by periodically reviewing the tracking logs) and
develop a strategy to ensure the timely disposition of complaints (repeat); and
b. properly maintain the tracking logs and ensure the logs reflect all critical information,
including key dates such as initial receipt (repeat).
Agency Response
Analysis Factually Accurate
Please provide
additional comments as
deemed necessary.
Page 1 of 20
Maryland Department of Health
Regulatory Services
Page 2 of 20
Maryland Department of Health
Regulatory Services
Inspections
Finding 2
The Office of Health Care Quality did not conduct required annual inspections of all
assisted living facilities and developmental disabilities service providers.
We recommend that OHCQ, in conjunction with MDH, ensure inspections of the assisted
living facilities and developmental disabilities service providers are completed as required
by law (repeat).
Agency Response
Analysis
Please provide
additional comments as
deemed necessary.
Page 3 of 20
Maryland Department of Health
Regulatory Services
Cash Receipts
Finding 3
Controls over collections directly received at and the deposits made by the majority of the
HPBCs were not adequate, and duties related to cash receipts and licensing were not
properly segregated.
Agency Response
Analysis Factually Accurate
Please provide
additional comments
as deemed
necessary.
Page 4 of 20
Maryland Department of Health
Regulatory Services
The Dental Board agrees and has made sure that adequate controls are in
place for depositing and that all receipts are properly accounted for. The
Dental board now uses a state approved vendor as the credit card merchant
and routinely reconciles all deposit activities.
Board of Pharmacy:
Page 5 of 20
Maryland Department of Health
Regulatory Services
Each Board has established adequate control procedures to ensure that all
credit card transactions are deposited into the State Treasury and credited to
the respective Board.
The MMCC clarified its fee collection duties must be segregated from
licensing duties. Beginning February 15, 2020, no employee who receives
or processes checks or money orders has access to licensing software. In
addition, the MMCC will perform quarterly audits to confirm (1) which
employees have access to the licensing software, (2) whether this access is
necessary for their job, and (3) that they do not receive or process
payments.
Page 6 of 20
Maryland Department of Health
Regulatory Services
The MMCC has also requested and received a check scanner, which will
reduce the number of employees required to accept/process payments.
MSBDE agrees with the findings and has put best practices in place to
assure that no staff members who accept/process mail, including checks, do
not have access to the licensing software and vice versa. Staff who may
print licenses, which require a physical signature by the Board President, do
not accept/process mail, including checks.
The Boards will regularly monitor staff access accessibility to ensure that
only authorized staff has access to information that is pertinent to their
duties.
Page 7 of 20
Maryland Department of Health
Regulatory Services
3/31/2021
MBON concurs with this finding and recommendation. The Board has
considered the feasibility of procuring lockbox services on several
occasions – most recently October 2019. It was determined that lockbox
service was not feasible at that time. However, the Board will re-evaluate
the feasibility of lockbox service, per this recommendation. The Board has
emails concerning this matter with our fiscal manager. Fiscally the lockbox
will cause a financial burden to the Board.
MBPTE has looked into lockbox services and finds it is not fiscally
responsible to pursue with over 92% of MDBPTE revenue transaction
payments are made with a credit card. Inquiries into the cost of a bank
lockbox found that the setup fee will be over $10,000.00 plus yearly bank
charges which will increase current expenses by over 300%. Plus, there
would be courier service costs to pick up checks mistakenly mailed to
MDBPTE. Fiscally a bank lockbox will cause a financial burden.
Additionally, a bank lockbox will delay the timely processing of licensing
payments which would adversely impact our efficiency and customer
service satisfaction.
In consideration of the fact that MDBPTE is self-funded, the majority of
transactions are through credit cards, and customer service would be
adversely impacted, it is not feasible for MDBPTE to have a bank lockbox.
Page 8 of 20
Maryland Department of Health
Regulatory Services
The Board & Commissions has investigated into looking into using a
lockbox and the results are as follow. It is not cost effective for these
Boards to use a lockbox for the following reasons.
• An analysis of lockboxes revealed that lockboxes are extremely
costly (setup fees, monthly fees for each lockbox, and service/transaction
for initial applications, and those that do for each payment processed). I.e.
in FY 19 the Pharmacy Board’s cost was $70,474 and $61,271 in FY 20.
The cost to install and maintain a lockbox can be more than some boards
collect.
• Many Boards currently have an online credit card payment system
for initial applications, and those that do not are scheduled to implement
this system. Currently, all Boards have online renewal payment systems.
• Lockboxes don’t account for other forms of payment received.
Therefore, multiple financial systems would need to be maintained.
Page 9 of 20
Maryland Department of Health
Regulatory Services
Board of Pharmacy:
Finding 4
Twenty-one HPBCs did not perform documented system access reviews of their licensing
system to ensure that user access capabilities were adequately restricted. As a result,
numerous users could unilaterally issue or renew licenses, and current or former
employees had unnecessary system access.
Page 10 of 20
Maryland Department of Health
Regulatory Services
Agency Response
Analysis Factually Accurate
Please provide
additional comments as
deemed necessary.
The MMCC has integrated its licensing system with One Stop, the
central hub for Maryland licenses, forms, certificates, permits,
applications, and registrations. The buildout of the MMCC platform on
One Stop will be completed by October 2020. The One Stop portal
allows system managers to review user access. At the MMCC, the
Executive Director, Deputy Director, and IT Director have appropriate
access to changer user permissions. These permissions will be reviewed
by the Department of Laboratories and Compliance every quarter in
Page 11 of 20
Maryland Department of Health
Regulatory Services
_________________________________________________________
_
Board of Dental Examiners:
Board of Physicians
_________________________________________________________
Page 12 of 20
Maryland Department of Health
Regulatory Services
Page 13 of 20
Maryland Department of Health
Regulatory Services
MSBDE ensures that users are assigned only those capabilities needed
to perform job duties and has eliminated all unnecessary access. The
SOP was finalized CY20 identifying who has what accesses and
capabilities in the licensing process.
Page 14 of 20
Maryland Department of Health
Regulatory Services
MDBPTE ensures that users are assigned only those capabilities needed
to perform job duties and has eliminated all unnecessary access.
MDBPTE Deputy Directors reviews the IT quarterly system permission
review report and informs the IT department in writing of any changes
required to users’ permissions.
Boards and Commissions ensures that users are assigned only those
capabilities needed to perform job duties and has eliminated all
unnecessary access. Written procedures have been developed
delineating requirements that must be met to be granted access.
Page 15 of 20
Maryland Department of Health
Regulatory Services
Finding 5
Password and account controls for the Board of Nursing and the Board of Pharmacy were
not sufficient to properly protect critical data.
We recommend that
a. the two Boards implement strong controls over passwords and accounts for critical
applications in accordance with the settings prescribed by the Information Technology
Security Manual (repeat), and
b. MDH determine the extent to which additional application password and account
controls are needed to protect licensee data for the remaining boards and commissions
(repeat).
Agency Response
Analysis Factually Accurate
Please provide
additional comments as
deemed necessary.
Page 16 of 20
Maryland Department of Health
Regulatory Services
Procurements
Finding 6
The Board of Dental Examiners did not comply with State procurement regulations when
awarding two sole source contracts totaling $302,000 to a vendor for a new licensing
system.
Agency Response
Analysis Factually Accurate
Please provide
additional comments as
deemed necessary.
Page 17 of 20
Maryland Department of Health
Regulatory Services
Please provide details of The Board of Dental Examiners will submit contracts to DoIT and BPW
corrective action or for review and approval, as required. The Board will develop a policy and
explain disagreement. procedure and look into training the Board and staff.
Consolidation of Operations
We recommend that the HPBCs collectively identify opportunities for consolidating certain
operations to enhance internal controls and maximize efficiencies and, if deemed practical,
develop a formal plan to accomplish such enhancements.
Agency Response
Analysis Factually Accurate
Please provide
additional comments as
deemed necessary.
Page 18 of 20
Maryland Department of Health
Regulatory Services
Board of Physicians:
The Board of Physicians has its own IT and Fiscal Units. The Board
owns its IT system outright. The Board’s IT system was created to meet
the needs of the Board and continues to be modified in response to
operational changes. Further, the Board of Physicians already pays a
larger, inequitable amount of shared costs and costs related to other
Boards which results in higher fees for our licensees.
Page 19 of 20
Maryland Department of Health
Regulatory Services
boards have merged onto the same automatic licensing system, and the
remaining boards are scheduled to join. The Boards follow the state’s
policies relating to procurement procedures and will continue to do so.
Page 20 of 20
AUDIT TEAM
Edward A. Rubenstein, CPA
Audit Manager
Ashley M. Darby
Paul A. McGrew
Daniel P. Nuccio, CPA, CFE
Dianne P. Ramirez
Staff Auditors