New York State Comptroller Thomas P. DiNapoli announced today the following audits have been issued.

Homes and Community Renewal – Division of Housing and Community Renewal – Physical and Financial Conditions at Selected Mitchell-Lama Developments Located Outside New York City (2022-S-46) 

The Mitchell-Lama Housing program (Program) was created to provide affordable rental and cooperative housing to middle-income families. In exchange for low-interest mortgage loans and real property tax exemptions, the Program required limitations on profit, income limits for tenants, and supervision by the Division of Housing and Community Renewal (DHCR). From a sample of five developments, auditors found that DHCR was not adequately overseeing financial and physical conditions. Management at all five sampled developments misspent funds, and management at two of the sampled developments failed to provide a safe and clean living environment for their residents, where auditors observed hazardous conditions.

Department of Financial Services – Virtual Currency Licensing (2022-S-18) 

The Department of Financial Services (DFS) oversees the activities of nearly 3,000 financial institutions, including 21 virtual currency licensees with assets totaling more than $175 billion. Auditors found limited assurance that DFS is adequately performing its oversight responsibilities related to the application for and supervision of virtual currency licenses in the state, creating the risk that licenses could be granted to applicants whose financial stability has not been thoroughly verified, or that, once licensed, businesses may not maintain financial or cybersecurity standards. Not all license applicants completed a fingerprinting process that DFS uses to assess backgrounds of major shareholder and officers prior to application approval; DFS could not support its verification of applicants’ tax obligations; licensees were not always in compliance with cybersecurity regulations; and DFS did not always ensure that licensees submitted all required financial reports used to assess the safety and soundness of their business operations.

Hudson River–Black River Regulating District – Security Over Critical Systems (2023-S-24) 

The Hudson River–Black River Regulating District’s (District) mission is to construct, maintain, and operate reservoirs in the upper Hudson River and Black River watershed for the purpose of regulating the flow of streams or rivers when required by public welfare. The District must adhere to the Office of Information Technology Services’ policies, which include applying the correct security controls for information used by the District, monitoring systems, and managing the risks of security exposure or compromise; as well as the Data Security Standards (DSS) established by the Payment Card Industry (PCI) Security Standards Council, which address security measures associated with credit card data. Auditors found that, overall, the District has demonstrated effort and timeliness in addressing security issues as they arise and that the District has generally taken appropriate steps to secure processes and systems used to accept credit card payments but identified that documentation of certain policies and procedures could be improved to better meet PCI DSS requirements.

Department of Health – Patient Safety Center Activities and Handling of Revenues (Follow-Up) (2023-F-16) 

The Patient Safety Center (PSC) was established within the Department of Health (DOH) for the purpose of maximizing patient safety, reducing medical errors, and improving overall quality of health care. Penalties can be imposed against facilities and individuals in violation of the Public Health Law, a portion of which is deposited into a special revenue PSC account. A prior audit, issued in March 2021, found a lack of formal guidance governing certain enforcement and record-keeping practices as well as a need for improved oversight of PSC revenues and related activities to ensure that the PSC account is receiving all revenue due. The follow-up found DOH implemented all four of the initial recommendations.

Department of Civil Service – New York State Health Insurance Program – Payments by Beacon Health Options for Mental Health and Substance Abuse Services for Ineligible Members (Follow-Up) (2023-F-30) 

The Department of Civil Service (Civil Service) administers the New York State Health Insurance Program (NYSHIP) and contracts with Carelon Behavioral Health (Carelon), formerly Beacon Health Options, to administer the mental health and substance use (MHSU) program for the Empire Plan, NYSHIP’s primary health insurance plan. Civil Service is responsible for maintaining the New York Benefits and Accountability System (NYBEAS), the system of record for member enrollment and eligibility information. A prior audit, issued in May 2022, identified $3.21 million in overpayments for MHSU services, which resulted primarily from retroactive disenrollments (disenrollments entered into NYBEAS after the date the change in eligibility had taken effect). The follow-up found Carelon had recovered nearly $726,000 of the $3.21 million in overpaid claims identified, and Civil Service and Carelon implemented quarterly reconciliations of eligibility information between NYBEAS and Carelon’s system to help ensure claims are paid only for eligible members. Of the initial report’s four audit recommendations, three were implemented and one was partially implemented.

Department of Health – Medicaid Program: Improper Payments for Services Related to Ordering, Prescribing, Referring, or Attending Providers No Longer Participating in the Medicaid Program (Follow-Up) (2023-F-24) 

Beginning January 1, 2014, New York’s Medicaid program required that physicians and other health care professionals who order, prescribe, refer, or attend (OPRA) Medicaid services be appropriately screened and enrolled in Medicaid and have an “active” provider status. A prior audit, issued in April 2022, found that the Department of Health’s (DOH) eMedNY claims processing system edits designed to prevent payments for services with an inactive OPRA provider were flawed, and Medicaid made $965 million in payments for 2.3 million OPRA services by physicians and professionals who were no longer actively enrolled in Medicaid on the service date. The follow-up found DOH recovered less than 1% of the $965 million and DOH had not enhanced eMedNY controls to more promptly identify OPRA providers not actively enrolled in Medicaid and deny the related claims. Of the initial report’s six audit recommendations, one was implemented and five were not implemented.