Audit Report on the Development and Implementation of Health Information Profiling System by the Administration for Children’s Services
EXECUTIVE SUMMARY
The fundamental responsibility of the Administration for Children’s Services (ACS) is the protection of children subjected to neglect and abuse. The ACS Office of Medical Services and Planning Division (MSP) is responsible for monitoring the medical care of children in foster care. Foster children are cared for by contracted agencies or directly by the City.
ACS hired Integrated Partners, Inc., in June 1999 to act as the project manager to design and develop its Health Information Profiling System (HIPS)¾ a customized computer application—to provide a centralized computer repository of health information for each child. HIPS allows ACS’ contract agencies to enter children’s medical records into the system and to review the medical information of all children in their care. In addition, the system allows MSP personnel to monitor a child’s medical condition to ensure that the contract agencies are providing adequate care and maintaining adequate medical records for children in their care.
HIPS Phase I was completed in December 2000. ACS is currently working on HIPS Phase II, which will provide additional enhancements, including report generating capabilities, the integration of import-export features, a document scanning feature, a medical service appointment tracking feature, and HIPS access through the Internet.
Our objectives were to determine whether:
- ACS followed a structured methodology for developing HIPS;
- HIPS meets the users’ needs,
- HIPS allows future enhancements and upgrades;
- users are satisfied with the system.
Our fieldwork was conducted from October 2001 to March 2002. To achieve our objectives we reviewed and analyzed these ACS documents:
- Health Information Profiling System Specification for Reports;
- User System Request;
- Final Functional Specifications (Business and System Requirements);
- Technical Profile;
- Issue Resolution log;
- Quality Assurance Plan/Process: HIPS1; and
- HIPS development and implementation plans.
In addition, we interviewed ACS officials, verified whether the system met design specifications, and conducted a user satisfaction survey.
Since the City does not have a formal System Development Methodology, we used the following as criteria for this audit:
- New York City Comptroller’s Internal Control and Accountability Directive 18 (Directive 18), "Guidelines for the Management, Protection and Control of Agency Information and Information Processing Systems,"
- Federal Information Processing Standards (FIPS), and
- National Institute of Standards and Technology Special Publication 500-223, A Framework for the Development and Assurance of High Integrity Software (NIST).
The audit was conducted in accordance with generally accepted government auditing Standards (GAGAS) and included tests of the records and other auditing procedures considered necessary. This audit was performed in accordance with the City Comptroller’s audit responsibilities as set forth in Chapter 5, § 93, of the New York City Charter.
ACS followed a structured methodology for developing HIPS. The system, as currently developed, allows for future enhancements and upgrades, and Phase I meets the users’ needs. The contract agency users were generally satisfied with HIPS, according to the results of our user satisfaction survey. However, those agencies have difficulty in accessing HIPS via a dial-in modem. In addition, ACS does not maintain adequate records of user accounts, User-IDs are not reviewed and updated, and HIPS users are not required to periodically change their passwords.
ACS should:
- Instruct its MIS division to determine whether dial-in access can be made easier.
- Review the list of User-IDs to identify and remove duplicate entries.
- Maintain a list of current users, in accordance with FIPS Standard 112 and Directive 18. The list should associate the User-ID with an individual and contract agency. In addition, ACS officials should require that contract agencies notify them whenever users have to be added or deleted from the system.
- Require that users periodically change their passwords.
The matters covered in this report were discussed with officials from ACS during and at the conclusion of this audit. A preliminary draft was sent to ACS officials and discussed at an exit conference held on May 15, 2002. On May 17, 2002, we submitted a draft report to ACS officials with a request for comments. We received a written response from ACS on June 3, 2002. ACS agreed with the audit’s findings and recommendations.