Board of Registration in Medicine
· Read the full official report (PDF) ↗
source
“Summary of Findings”
Read the plain-English breakdown
This is a Massachusetts State Auditor performance audit of the Board of Registration in Medicine, covering mainly July 1, 2010 through June 30, 2012.
“I am pleased to provide this performance audit of the Board of Registration in Medicine.”
Auditors reviewed whether the Board had proper controls and followed laws, rules, policies, and procedures in areas such as physician licensing, complaints, discipline, data security, credit-card processing, and prior audit fixes.
“The objectives of our audit were to review and evaluate the Board’s internal controls and its compliance with applicable laws, regulations, policies, and procedures in the following areas: (1) physician licensing, physician online profiles, investigation of complaints, hearings, and sanctions for misconduct; (2) the processing of mandated reports received on physician misconduct, disciplinary actions, and medical-malpractice matters; (3) physician training on how to report suspected child abuse; (4) the sharing of physician information with other states and the federal government as required by 243 Code of Massachusetts Regulations 1.02(11); (5) system access controls over the Consolidated Licensing and Regulation Information System and the OnBase application system; (6) controls over the processing of credit-card transactions; (7) expenditures for contract services related to information technology (IT); (8) employee background Criminal Offender Record Information (CORI) checks; (9) safeguarding of IT-related equipment; and (10) whether the Board implemented the necessary corrective actions to address the issues raised in our previous audit report (No. 2008-0117-4T).”
People use the Board’s information to decide whether to trust a doctor, so missing or unclear criminal and discipline information can affect patient choices and public safety.
“As a result, the Board cannot be certain that its online individual physician profiles are complete and accurate, which could affect the public’s ability to make informed decisions about physicians they are considering using as healthcare providers.”
If you are choosing a doctor in Massachusetts, this audit is about whether the public website gives you complete, understandable information about that doctor’s license, discipline, and serious criminal history.
“Information on the Board’s website, which is the Board’s primary means of disseminating information on disciplinary and/or criminal actions to the public, needs to be enhanced to ensure that the public will have complete and relevant information on which to base decisions about physicians.”
The Board had several important weaknesses, but auditors also noted that it had made progress on some issues and was taking steps to fix others.
“Based on its response, the Board is taking measures to address our concerns in this area.”
The report recommends that the Board work with the courts, improve its website, run criminal-record checks for new applicants, complete required security reviews, strengthen credit-card protections, and update and test its continuity plans.
“The Board should collaborate with the Executive Office of the Trial Court (EOTC) in order for EOTC to devise and implement a reporting system and develop related policies, procedures, and internal controls to ensure that court-mandated reports on physician criminal activity are routinely collected and reported to the Board.”
The biggest public-facing issue was that incomplete court reporting and unclear online profiles could keep people from seeing important information about doctors before choosing care.
“The absence of complete criminal activity information hinders the Board’s ability to discern any patterns of improper behavior among physicians and may preclude it from taking disciplinary actions.”
A CORI check means checking Massachusetts criminal-record information; the audit says the Board should use this check when someone first applies for a medical license.
“To ensure that the Board has a complete record of physician criminal activity, the Board should conduct a CORI check when a physician submits his or her initial application for a license to practice medicine in the Commonwealth.”
1 figure(s) pending source verification - not shown
What the Auditor checked
- Partially Did the Board maintain internal controls and comply with applicable laws, regulations, policies, and procedures for physician licensing, physician online profiles, investigation of complaints, hearings, and sanctions for misconduct?
- Did not comply Did the Board maintain internal controls and comply with applicable laws, regulations, policies, and procedures for processing mandated reports received on physician misconduct, disciplinary actions, and medical-malpractice matters?
- Did not comply Did the Board maintain internal controls and comply with applicable laws, regulations, policies, and procedures for controls over the processing of credit-card transactions?
- Partially Did the Board implement the necessary corrective actions to address the issues raised in the previous audit report?
What the Auditor found
Why it matters: The public may not have complete and accurate physician profile information, and the Board may miss patterns of misconduct or fail to take appropriate disciplinary action.
Standard: Chapter 112, Section 5, and Chapter 221, Section 26, of the Massachusetts General Laws require collection, reporting, and public dissemination of certain physician criminal activity. ( Chapter 112, Section 5, of the General Laws; Chapter 221, Section 26, of the General Laws )
2 recommendations
- The Board should collaborate with EOTC to implement a reporting system, policies, procedures, and internal controls so court-mandated reports on physician criminal activity are routinely collected and reported.agency: partially agreed
- The Board should conduct a CORI check when a physician submits an initial license application.agency: agreed
Agency response & Auditor reply
Agency: "While the Board accepts the Audit Team recommendations for increased collaboration with the Executive Office of the Trial Court (EOTC), the Board does not have jurisdiction over the EOTC and cannot enforce their compliance with M.G.L. c. 221, § 26. . . ."
Auditor: "Our report does not suggest that the Board should have to request information from EOTC on any criminal activity involving licensed physicians."
Why it matters: The public may not have complete and relevant information when deciding whether to use a physician.
Standard: Chapter 112, Section 5, of the General Laws requires disclosure of disciplinary actions and Massachusetts criminal actions to the public. ( Chapter 112, Section 5, of the General Laws )
4 recommendations
- The Board should update and periodically review its website to ensure consistency in reporting license status and disciplinary actions.agency: agreed
- The Board should ensure consistent reporting between disciplinary sections of its website and online physician profiles.agency: agreed
- The Board should correct the initial lookup screen so restricted active licenses display accurately.agency: agreed
- The Board should modify the generic profile-update description to better inform the public that there may be an issue with the physician’s license status.agency: agreed
Agency response & Auditor reply
Agency: "The Board appreciates the Audit Team’s recommendations regarding enhancements to the Board’s Profiles site."
Auditor: "However, when disciplinary actions or convictions have taken place, the Board should add that information to a physician’s profile as soon as the physician has had a chance to review it."
Why it matters: The Board could not be certain it had taken necessary measures to protect the security, confidentiality, and integrity of personal information.
Standard: Executive Order 504 requires written information security programs and electronic security plans, and EOAF policy requires annual self-audits. ( Enterprise Information Security Policy, Issue #2 )
1 recommendation
- The Board’s ISO, with DPH, should begin an annual review of IT security controls and file all required reports with ITD.agency: agreed
Agency response & Auditor reply
Agency: "The Board accepts the Audit Team’s recommendation regarding the lack of an information security program (ISP), electronic security plan (ESP), or self-assessment questionnaire for 2011 and 2012."
Auditor: "Based on its response, the Board is taking measures to address our concerns in this area."
Why it matters: The Board risked a security breach during credit-card transaction processing, fraudulent use of cardholder data, fines, penalties, and adverse publicity.
Standard: PCI DSS and Office of the State Comptroller procedure FY 2010-26 require validation of payment card security compliance by a Qualified Security Assessor. ( Payment Card Industry Data Security Standard; OSC procedure FY 2010-26: Payment Card Industry (PCI) Data Security Standard Compliance )
3 recommendations
- The Board should develop policies, procedures, and internal controls to ensure PCI DSS compliance.agency: agreed
- The Board should work with ITD to ensure all requirements and protections identified in the risk assessment are addressed and tested by the QSA.agency: agreed
- The Board should annually test access controls and security systems and regularly review and update related policies and procedures.agency: agreed
Agency response & Auditor reply
Agency: "The Board is committed to protecting the personal information of all individuals and will take appropriate steps in remediating findings."
Auditor: "Based on its response, the Board is taking measures to address our concerns in this area."
Why it matters: The Board could face delays restoring computer operations, processing physician licenses, and updating physician profiles after an interruption.
Standard: Executive Order 490 requires continuity planning, emergency operating procedures, emergency authority, communications, and safeguarding of critical systems, records, and databases. ( Executive Order 490 )
2 recommendations
- The Board should update its BCP to reflect changes to its technology environment and emergency contact list, assess information-system dependencies, test the plan, and incorporate results.agency: agreed
- The Board should identify an emergency relocation site in case its offices are inaccessible.agency: agreed
Agency response & Auditor reply
Agency: "The Board accepts the Audit Team’s finding regarding updating its business continuity plan (BCP)."
Auditor: "Based on its response, the Board is taking measures to address our concerns in this area."
More audits of this entity
Other Office of the State Auditor reports on Board of Registration in Medicine .
- Audit of the Board of Registration in MedicineAuthority / Commission · April 7, 2020