- A state audit of the Illinois Health Information Exchange (ILHIE) has found material weakness in the organization's internal controls over the first few months of its existence.
The report from the Auditor General of the State of Illinois lists more than 20 items where ILHIE has failed to comply with state rules and regulations, many of which are tied to financial management. ILHIE took over responsibility for the state's HIE contract in February 2014.
Chief among them is the finding of inaccurate financial information related to IHLIE expenditures between February and June 2015. According to the state audit, the organization did not properly record $2.5 million and $1,136 that was not recorded in its accounting software entirely as a result of the organization maintaining two separate "books of record."
Another financial misstep emerged as a result of ILHIE's management of subscriber fees. The state audit noted inaccurate fee assessments during testing, showing that the organization did not properly exercise the provision of agreements with subscribers which could lead to "fiscal instability" and the inability to cover the cost of its operations.
"Based on sample testing of ten subscriber Agreements and invoices, the auditors noted differences in eight of the subscriber’s invoices. The differences ranged from overbilling by $508 to under-billing by $2,625," the report states.
ILHIE similar struggled to maintain and report accurate accounts receivable records. "During sample testing, the auditors noted the accounts receivable recorded for seven of ten (70%) subscribers to the Illinois Health Information Exchange were inaccurate, resulting in an overstatement of accounts receivable of $10,531 at June 30, 2014," the report finds.
The organization also failed to properly managed terminated HIE participants, whose records were reportedly expunged from ILHIE's system "which resulted in permanent deletion of any historical account record and information."
Additionally, ILHIE lacked procedures for assessing and collecting fees and charges from healthcare providers or other connected entities.
Contract payments were another area of deficiency, both for third-party vendors and the administration of the organization itself.
During testing, the state audit showed inconsistencies in the timing and payment of invoices to third-parties:
• All invoices submitted by the vendor were dated August 5, 2014, with services dating from January 1, 2014.
• Two invoices, totaling $201,376 included services from January 1, 2014 through February 6, 2014, totaling $66,532, which was prior to the creation of the Authority.
• Three invoices, totaling $731,648 stated they were for Change Orders that were dated August 1, 2014 and August 13, 2014.
• One invoice, totaling $377,872, was for the percentage of completion for the same service. However, the contract payment schedule was based on the completion of deliverables.
• The services described in three of the invoices, totaling $731,648 could not be tied to the original or contract renewal services.
• One invoice was not approved by the Authority.
As for its own administrative contracts, ILHIE field for $1.3 million in funding without having filed a contract amendment with the state.
Especially troubling is the organization's oversight of computer security.
"Without the implementation of adequate controls and procedures, there is a greater risk unauthorized access to the Authority’s resources may be gained and data destroyed," the report states. "Prudent business practices dictate the Authority identify all assets and strengthen its security to protect its assets and resources against unauthorized access and misuse."
By and large, ILHIE agreed with the findings in the state audit. The full report is available here.