Auditor’s Review of Maryland Health Benefit Exchange Falls Short
We did not perform tests, interview relevant parties and stakeholders, or attempt to substantiate or refute the accuracy of the information in the documents or determine their completeness. We also do not know whether we received all documents that MHBE made available to the public.
The documents we reviewed indicate that the HIX development process faced many challenges. The early IV&V reports identified several critical project planning and management processes and protocols that had not been established even though the contract to develop HIX was awarded ten months prior to the issuance of the first IV&V report. For example, IV&V reports with January and February 2013 dates identified the lack of an overall project plan, insufficient staffing by MHBE and the vendors, and the lack of a State program director to manage project development efforts. At the end of February, only seven months remained before the October 1, 2013 go-live date for the Maryland Health Connection.
In the IV&V reports issued through September 30, 2013, the consultant identified 46 risks and 48 issues4, of which 9 risks and 28 issues were outstanding as of September 30, 2013. (See Exhibit C for a listing of all risks and issues.) Many were designated as high-impact risks and issues, covering many aspects of the HIX system development process, including project management, software development, and system testing and security…
As the October 1, 2013 go-live date approached, there was considerable concern expressed by the IV&V [consultant reports] about system testing and functionality. For example the September 30, 2013 IV&V report stated that “…full integration and end-to-end testing has not been completed due to continued problems with performance, environments, and code (bugs) issues.” The report also stated that “Capacity loads could not be properly assessed due to lack of true integration and UAT [User Acceptance Training] testing.” Because the HIX was not compete, planned training activities for navigators, assisters, counselors, call center staff, and other consumer assistance personnel were impeded.
We did see indications that proposals were evaluated, although we did not receive evaluation documents for every bidder in every category of service. Primarily due to heavy redaction, no conclusions can be offered on the choices made by MHBE. We could not determine, from the documents provided, the extent to which MHBE complied with applicable law and polices or sought legal advice about the procurement processes (for example, the extent of the required involvement of the Maryland Department of Information Technology [DoIT] and compliance with DoIT policies and procedures).
The oversight and governance structure that may have existed to oversee and steer the HIX development process was not apparent in the documents we received. Furthermore, documents did not shed light on who (whether an individual or group of individuals) was responsible for making key decisions regarding project direction and results and whether a go/no go meeting was held before the go-live date on October 1, 2013 as recommended by BerryDunn. There was no indication that DoIT had been involved with the project before October 1, 2013…
On a broader scale, the documents we received did not include any meeting agendas or minutes. Furthermore, the emails we received did not shed any light on who was making key project direction and oversight decisions up to the October 1, 2013 go-live date. For example, none of the documents attributed key decisions to the MHBE Board or the former MHBE Executive Director.