Memorandum

DATE: TO: October 25, 2011 Barry Schumacher, Chief of Employer Services Tim Wahlin, Chief of Injury Services Jodi Bjornson, General Counsel Tim Schenfisch, Director of Information Technology Kim Ehli, Director of Claims Tom Solberg, Director of Medical Services Darrel Enerson, Application Services Supervisor Steve Vaughan, Technology Services Supervisor Denise Bachler, Director of Office Services Cade Jorgenson, Decision Review Office Bryan Klipfel, Director Clare Carlson, Deputy Director John Halvorson, Chief Operating Officer Michele Blumhagen, Quality Assurance Director Krisi L. Kunz, Internal Auditor Micole Kvas, Internal Audit Director File Maintenance Review

CC:

FROM:

RE:

The Internal Audit Department at Workforce Safety & Insurance (WSI) recently completed a review of the maintenance of files for injured workers and employers. The review was conducted at the request of Management. Purpose The purpose of this review was to determine the adequacy of internal controls and procedures utilized in maintaining files for injured workers and employers. Scope The scope of the review was from January 1, 2010 through October 14, 2011, and included the following: Notepad entries made within the Claims Management System (CMS), including medical reviews completed by the WSI Medical Director that are documented within the CMS notepad. Notepad entries made within the Policyholder Information Computer System (PICS). Methodology Verified the appropriate procedures are being followed at the time a CMS notepad entry is deleted, moved or updated in an injured workers claim file. Verified medical opinion documentation from the WSI Medical Director is being included, unaltered, in the injured workers claim file. Verified the appropriate procedures are being followed at the time a PICS notepad entry is deleted, moved or updated in an employers account file. Page 1 of 7

Define Records The North Dakota Century Code (NDCC) 54-46-02(2) defines Record as follows: Record means document, book, paper, photograph, sound recording or other material, regardless of physical form or characteristics, made or received pursuant to law or in connection with the transaction of official business. Library and museum material made or acquired and preserved solely for reference or exhibition purposes, extra copies of documents preserved only for convenience of reference, and stocks of publications and of processed documents are not included within the definition of records as used in this chapter.
The Assistant Attorney General primarily addressing open records issues and the Director of the States Risk Management Division were contacted to obtain a general understanding of an agencys authority relating to the contents of a record. These discussions were consistent with the following basic principle:

Each individual state agency has the responsibility to determine the internal use of its records and further has the authority to dictate the format and content to help ensure records meet their intended purpose. Injured workers claim files and employers account files are included within WSIs records retention schedule: #190101 Injured Worker Claim File Description: This series contains information regarding injured work claims and the action taken. This includes medical and legal documents and any other general correspondence and documentation relating to the claim. Confidential: NDCC 65-05-32 #800304 Employer Account File Active Description: This series contains original application, annual payroll report, annual billing statements, 2nd, 3rd, 4th request for payment, optional employer contracts, and correspondence. Confidential: NDCC 65-04-15 #800305 Employer Account File Canceled Description: This series contains the same type of information as active accounts including original application. Confidential: NDCC 65-04-15 Review Results Internal Audit separated this review into three sections: CMS notepad entries, WSI Medical Directors medical reviews, and PICS notepad entries. Below you will find the review results for each of these sections, along with recommendations/suggestions for improvements. Section 1: CMS Notepad Entries The Claims Department currently has Claims Procedure #906 File Maintenance and Documentation, which indicates the following relating to the function of the notepad, along with moving, updating and deleting notepad entries:

Page 2 of 7

Notepad function: The notepad function of the Claims Management System (CMS) must accurately reflect the status of the claim file to include all claim activity. Summary of pertinent conversations and developments are also maintained within the notepad. Document precautions: 1. Use clear language, without personal codes so that other users can accurately follow claim activity. 2. Notes must reflect FACTUAL OCCURRENCES versus unsubstantiated opinions. 3. Enter notes under your own sign on. Do not us another activated computer or the note will be attached to that users ID. The system will automatically track those individuals entering notes into the system by the user signed onto the network. 4. Use of proper punctuation, accepted abbreviations and correct spelling. If an entry does not belong on a claim a clarifying entry should be made. Notepad entries can be moved if entered on the incorrect claim. Contact the designated supervisory staff to request the move. The category of notepad entries can also be updated by contacting the designated staff. Notepad entries can only be deleted with the approval of the claims director. Upon review and approval the claims director will delete the entry. The File Maintenance and Documentation procedure also gives examples of notepad entries. A few of these examples are: summary of claim filed; documentation of progress of the 3-point contact for new claims and reapplications; release of information documentation; and claim staffings. The Information Services (IS) Department indicated there are 375,071 notepad entries within CMS for Fiscal Year (FY) 2011 (July 1, 2010 through June 30, 2011). Currently, there is no audit trail for notepad entries that are updated, moved or deleted within the system. However, if the request is received through the Help Desk, a trail of the request/outcome is kept through the Information Technology Service Management (ITSM) system. The CMS system has the following security roles: Updating Notepads The only fields available for updates are the caption, high priority indicator and category. The caption and high priority indicator can be updated by any individual who can view notepad entries. The category can only be updated by a select number of individuals with override security. At the start of this review, there were 5 individuals with this security access: the Claims Director, the Claims Policy & Business Coordinator, 1 Claims Supervisor, the Office Services Supervisor, and 1 Claims Technician. The Office Services Supervisor and Claims Technician were removed during this review due to not needing this access for their job duties. Internal Audit did note that in FY 2011, the Help Desk received and completed 4 requests for notepad entries to be updated within the CMS system. Two of these requests came from an individual within the Legal Department asking for updates to the notepad category. The other 2 requests came from an individual within the Decision Review Office asking for updates to the notepad caption. Page 3 of 7

Moving Notepads Notes can be moved from one claim to another in two ways: 1) During a claim consolidation all notes are moved to the new claim. 2) Individual notes can be moved either within the same claim or to a different claim all together. For the same claim, the note ID can be stored on various tables that hook notes to certain windows in CMS. At the start of this review, there were 13 individuals with this security access: the Claims Director, the Claims Policy & Business Coordinator, 8 Claims Supervisors, the Utilization Review Supervisor, the Office Services Supervisor, and 1 IS Software Engineer. The Office Services Supervisor and IS Software Engineer were removed during this review due to not needing this access for their job duties. Internal Audit did note that in FY 2011, the Help Desk received and completed 9 requests for notepad entries to be moved within the CMS system. Two of these requests came from an individual with moving access who was unsuccessfully trying to move the notepad before making the request (system issue). The other 7 requests came from an individual within the Legal Department. Deleting Notepads CMS notes can be deleted. Once deleted, they are removed from the database with no record of them existing. At the start of this review, there were 3 individuals with this security access: the Claims Director, the Claims Policy & Business Coordinator (Claims Director backup), and 1 IS Software Engineer. The IS Software Engineers access was removed during this review due to not needing this access for his job duties. The Claims Department indicated the notepad entries are to address the factual information of the claim that may affect the injured worker and/or employer involved. The determination of what should and should not be documented within CMS notepad entries is made by the professional judgment of those who have the authority to make those decisions. Generally, the notepad entries are deleted if: A note containing confidential information was entered on the wrong claim and the WSI employee already reentered the notepad into the proper claim. The notepad entry contained inappropriate content, personal feelings or opinions. The Claims Director stated she has been sending her deletion requests to the Help Desk for approximately the last 8 months (November/December 2010) due to having system issues when she tries to delete the entries. When sent to the Help Desk, the request is assigned to one of two Database Administrators, who have full access to the data tables to update, move or delete information entered into CMS. The Claims Director backup was unable to remember the last time she deleted a notepad entry due to it being a very long time ago. Internal Audit did note that in FY 2011, the Help Desk received and completed 20 requests for notepad entries to be deleted within the CMS system. Three requests were received from individuals within the Claims Department, in which 2 had approval from the Claims Director; 10 requests were received from an individual within the Legal Department; 3 requests were received from an individual within the Decision Review Office; 3 requests were received from an individual within the Claims Technician Department; and, 1 request was received from an individual within the Return-to-Work Department. Thirteen of these 20 requests indicated the deletion was due to being entered Page 4 of 7

on the wrong claim; 1 was due to confidentiality reasons; and, 6 had no documented reason for the deletion within the request. Recommendations Internal Audit recommends WSI determine whether or not they should allow notepad entries in CMS to be deleted. During this determination they should consider the public perception of items being deleted from the system without any record. If WSI decides to discontinue deleting inappropriate notepad entries and notices an inappropriate notepad in the future, WSI could add an additional notepad entry explaining why the notepad is inappropriate and that training will be given to the individual who added the inappropriate notepad entry. In addition, Claims Procedure 906 should be updated to reflect this change, and all appropriate staff should be notified of this new process. If WSI decides to continue deleting inappropriate notepads, the following should be done: Review and update Claims Procedure 906 to include more detail/examples of reasons for notepad deletions. Once this is completed, all appropriate staff should be notified of this update. Documentation should be kept on notepad entries that were deleted. At a minimum, the date of the deletion, claim number, owner of the notepad entry, reason for the deletion, and what type of training was provided to the owner of the deleted notepad should be documented. In addition, all appropriate staff should receive refresher training on what is/is not appropriate to be entered into CMS notepads. This training should also include information on when notepad entries can/cannot be moved, updated and possibly deleted. All staff should know who is authorized to make changes, along with who has authority to make these requests to the Help Desk. If at all possible, these requests should be handled by the individuals who have system access to make these changes and not sent to the Help Desk. The Help Desk should develop and implement a process/procedure to ensure that requests, if received, have the appropriate approval before the notepad is moved, updated and possibly deleted. All IS staff that works with changes to notepad entries should be trained on this process/procedure. Note: Appropriate staff referred to above includes all individuals that have the capability to create CMS notepad entries. This would include all staff outside of Injury Services who have this capability, for example, the Legal Department and the Decision Review Office. Section 2: WSI Medical Directors Medical Reviews Medical reviews are completed by WSIs Medical Director when requested by the claims staff (or legal staff via claims staff). Medical reviews are generally requested if there is a question on compensability, there is legal action occurring or if it is a highly complex claim/injury. WSIs Medical Director developed his own standard format for his medical reviews in 2007, which includes: Identification of the injured worker and claim number Listing of all documentation reviewed during the medical review Clinical history Discussion Conclusion Page 5 of 7

o Which may include, if applicable, Proposed Questions to IME Physician and/or contrasting or conflicting evidence in support of counterarguments. References

Once a medical review is completed in a Microsoft Word document, the review (original copy) is saved in WSIs Medical Directors P:drive on the network. The full review text will be copied and pasted into a CMS notepad entry by the WSIs Medical Director and a hard copy will be printed and given to the Claims Adjuster who requested the medical review. The Claims Adjuster may or may not have the hard copy imaged into Work Manager. During FY 2011 (July 1, 2010 through June 30, 2011), WSIs Medical Director indicated he completed 50 medical reviews. Internal Audit reviewed 20 of the reviews to ensure no alterations were made to the documentation. This was done by receiving the original version from the WSI Medical Directors P:drive and comparing it to the CMS notepad entry and Work Manager (if applicable). No issues were noted; all 20 medical reviews had not been altered. Internal Audit did note that 13 out of the 20 reviews were located both within a CMS notepad entry and Work Manager. In addition to WSIs Medical Director, WSI has contracts with 2 physicians who complete medical reviews as requested by Claims Adjusters through form C141 Medical Director Referral. It was noted that each physician uses his own format to document his medical reviews and no formatting directions or requirements have been provided to the physicians from WSI. WSIs Medical Director indicated during the beginning of calendar year 2010 (February 5, 2010 through April 9, 2010), there were discussions held with Management on including/not including counterarguments within the conclusion section of his reviews. WSI Management wanted this section to be excluded. The WSIs Medical Director still continues to this day to include any counterarguments, if found to be applicable. One out of the 50 medical reviews completed by the WSIs Medical Director in FY 2011 contained counterarguments. Recommendation For consistency, Internal Audit recommends WSI develop a standard policy/procedure on completing medical reviews, which should be followed by all physicians. This policy should contain a standard format for what should be included/not included within a medical review, and where medical reviews should be documented once completed (CMS notepad and/or Work Manager). While developing this policy/procedure, it may be helpful to gain input from the physicians and/or the North Dakota Medical Association. Section 3: PICS Notepad Entries Policyholder Services (PHS) has an Operations Guide that indicates when notes are expected to be added to an employers account within the PICS systems. The note function basically assists staff in documenting the employer account handling process. Currently, the PHS Operations Guide does not have any policies or procedures documenting the maintenance of notepad entries within the PICS system (updating, moving or deleting notes). The IS Department indicated there are 52,331 notepad entries within PICS for FY 2011 (July 1, 2010 through June 30, 2011). Currently, there is no audit trail on notepad entries that are updated or moved within the system.

Page 6 of 7

The PICS system has the following security roles: Updating Notepads Not everything on the note can be updated. The fields that can be updated are: the text, the view indicator, and a follow-up date. The fields that cant be updated are: the date the note was entered, the category, the sub-category, and the policy period. The only person who can update a note is the one who originally created it. Moving Notepads Notes can be moved from one account to another. The only person who can move (transfer) a note is the one who originally created it. Deleting Notepads PICS notes cant be deleted, but the whole text could be changed or removed with the update function noted above. Recommendations Internal Audit recommends WSI determine whether or not they should allow the text of notepad entries in PICS to be updated, knowing that the text could be deleted in its entirety. During this determination they should consider the public perception of items being changed within the system without any record. If WSI decides to discontinue updating the text within notepad entries and notices an inappropriate notepad in the future, WSI could add an additional notepad entry explaining why the notepad is inappropriate and that training will be given to the individual who added the inappropriate notepad entry. If WSI decides to continue allowing the text of notepad entries to be updated, documentation should be kept on notepad entries that were updated. At a minimum, the date of the update, policy number, owner of the notepad entry, reason for the update, and what type of training was provided to the owner of the updated notepad should be documented. WSI should also consider narrowing the number of individuals that have access to make text updates within notepads (for example, only supervisors). In addition, the PHS Operations Guide should include policies/procedures on the maintenance of notepad entries within the PICS system (updating and moving notes). Consideration should also be made on narrowing the number of individuals with move capabilities. Once this is documented, all appropriate staff should be trained on the new policies/procedures. Note: Appropriate staff referred to above includes all individuals that have the capability to create PICS notepad entries.

If you have any questions regarding this review, please contact Krisi L. Kunz at x8-3828 or Micole Kvas at x8-3824. Thanks.

Page 7 of 7