Insurance Provider Declines Audit Says OPM OIG

Health Net California, a benefit-provider for federal employees, has been tagged as unwilling to submit to a recent security audit according to the Flash Audit Alert issued by the U.S. Office of Personnel Management (OPM) Office of the Inspector General Office of Audits (OIG).

For the past decade OPM has been tasked to conduct security audits on Federal Employee Health Benefit Program (FEHBP) insurance providers. The office is to check for areas that are susceptible to and can potentially be a gateway to illegal and unauthorized access to the protected health information of FEHBP members. As a partner of OPM, Health Net is contractually required to undergo these audits.

The main focus of OPM audits are the FEHBP’s information systems that allow for the storage and access of data. The problem, however, is that many insurance providers mix data of both members and non-members which make the audit cover all parts of the system that has any form of connection with the FEHBP data.

OPM’s Flash Audit Alert revealed that the office cannot ascertain if Health Net is indeed fulfilling its obligation as a guardian of FEHBP members’ protected health information since the company does not subject itself to the required audit. OPM said that aside from the refusal to undergo vulnerability and configuration management testing, Health Net did not also provide necessary documents that would enable the former to check whether the latter was able to prevent system access of former contractors and employees.

The report submitted by OPM stated that the procedures for the audit did not come from just one group. It is the result of a joint effort and collaboration of representatives from the health insurance industry particularly Chief Information Officers and Chief Information Security Officers. Health Net is no different from other insurance providers who all need to undergo testing.

About Christine Garcia 1310 Articles
Christine Garcia is the staff writer on Calculated HIPAA. Christine has several years experience in writing about healthcare sector issues with a focus on the compliance and cybersecurity issues. Christine has developed in-depth knowledge of HIPAA regulations. You can contact Christine at [email protected]. You can follow Christine on Twitter at