SB3304

SECTION 1. The legislature finds that effective oversight of managed care organizations contracted under the State's medicaid managed care program is essential to ensure the proper use of public funds and the delivery of quality health care services to medicaid beneficiaries. The legislature further finds that independent oversight of the department of human services is necessary to verify the department's reporting, data governance, internal reconciliation processes, and its execution of federal program integrity obligations.

The legislature believes that transparency, accountability, and program integrity can be strengthened through two distinct, biennial audit tracks conducted by the auditor, consisting of a contractor and provider audit and a department audit.

The legislature finds that the contractor and provider audit could examine managed care contractors, their subcontractors, provider networks, encounter and claims data, and external quality review work products. The legislature further finds that the department audit would examine the department of human services and its med-QUEST division's reporting, data governance, internal reconciliation processes, secret shopper implementation, advisory council functioning, and compliance with federal program integrity and reporting obligations. The legislature also finds that each audit track would have a tailored scope, methodology, access, and reporting requirements and that where audits overlap, the auditor would require cross-track reconciliation and coordinated findings.

The legislature additionally finds that although the auditor has held statutory authority since 1975 to audit medicaid health care insurance contractors, this authority has not been exercised in a regular, scheduled way. The absence of systematic, periodic audits of the State's medicaid program has left the State vulnerable to undetected mismanagement, diminished quality of care, and erosion of public trust. The legislature further finds that the auditor is authorized to audit state departments, divisions, and offices that administer, oversee, or receive federal or state funds for medicaid programs, including the department of human services and its med-QUEST division. The legislature also finds that for the purposes of this measure's proposed audits, the auditor should have authority to access and examine records, working papers, contracts, data submissions, reporting templates, and supporting documentation, to interview relevant personnel, and to coordinate audit activities with federal and other state auditors.

The legislature finds that the department of human services documented multiple cases of medicaid overpayments in 2021 and 2022 attributable to provider ineligibility, payment for noncovered services, and failures of prior authorization controls, resulting in recoupment actions, tax offsets, and court judgments. The legislature further finds that additional examples of medicaid overpayment include payments continued after provider enrollment lapses, claims paid without required prior authorization, and duplicate payments later identified through administrative review, each requiring recovery efforts and, in some instances, civil collection activity.

The legislature additionally finds that state-level procurement and contract oversight reviews identified inconsistent encounter data reconciliation practices between contractors and the State, with a memoranda of understanding and interagency correspondence documenting delays and gaps in data exchange and reconciliation protocols. These financial oversight gaps increased the risk of payment errors and hindered timely corrective action.

The legislature further finds that a Centers for Medicare and Medicaid Services program integrity review of the State in 2023 identified operational weaknesses, including inaccurate encounter reporting, insufficient provider screening, and inadequate reconciliation of capitation versus fee-for-service payments. The legislature believes that these weaknesses create ongoing fiscal and programmatic risk if left unaddressed.

The legislature additionally finds that the contracted external quality review report (EQR) states that med-QUEST plans meet the State primary care provider standard and supplies plan-level provider-to-enrollee metrics. State workforce and physician shortage reports identify persistent provider shortages in multiple counties and specialties. The legislature finds that the EQR work product, med-QUEST division reporting templates used to collect contractor data, and related verification activities contain item gaps and procedural interruptions that may materially affect provider capacity conclusions. Because the EQR findings and independent workforce assessments present materially inconsistent representations of provider capacity, and because data collection instruments and verification activities appear to be misaligned or incomplete, the EQR report alone is insufficient to establish reliable provider capacity conclusions for policy or payment determinations. The legislature finds that the department of human services may be reporting incomplete or inaccurate data to federal oversight entities, which could compromise program integrity and hinder effective oversight.

The legislature believes that the auditor should prepare and report on the performance of the department of human services with respect to federal and state medicaid requirements, including compliance with reporting requirements; the functioning of required advisory councils; secret shopper surveys; and the existence of a qualified external quality review as required under federal law.

The legislature finds that the department of human services has demonstrated recurring failures that warrant an independent auditor review, including documented medicaid overpayments and uneven recovery actions that have not fully protected public funds.

The legislature further finds that State and contract oversight materials reveal inconsistent and delayed encounter data reconciliation between contractors and the State, creating risks of payment errors and undermining timely corrective action. Med-QUEST division reporting templates and verification activities contain procedural gaps and interruptions that materially impair conclusions about provider capacity and network adequacy. In addition, there is evidence of incomplete or inaccurate reporting to federal oversight entities, suspended or inadequately executed timely access and secret shopper verification activities, and insufficient provider screening that allows duplicate, inactive, or misclassified provider records. These weaknesses increase the likelihood of improper payments and compromised beneficiary access.

The legislature finds that contract oversight shortcomings and data governance failures prevent reliable assessment of managed care performance and obstruct effective remediation. The legislature believes that an impartial, statutorily empowered audit is necessary to identify root causes, reconcile contractor and department records, and recommend remedies to protect program integrity and ensure timely, high-quality care for medicaid beneficiaries.

The legislature further finds that multiple states have codified or institutionalized biennial or recurring medicaid audit requirements for contractors and that numerous additional states conduct recurring audits or targeted reviews through their state auditors, medicaid agencies, or inspector general offices. The legislature additionally finds that state auditors in multiple jurisdictions conduct audits of the departments that administer the medicaid program, examining program administration, eligibility and enrollment controls, data governance, federal reporting, and internal recovery and program integrity functions. These departmental audits complement contractor focused audits by validating state processes, reconciling contractor submissions with state reporting, and identifying systemic control weaknesses that require statutory, administrative, or funding remedies.

The legislature also finds that state auditors nationwide report hundreds of medicaid audit findings annually, with a substantial percentage being repeat findings, indicating persistent control weaknesses that risk ongoing improper payments and underscoring the value of sustained independent auditing to achieve durable remediation.

The legislature further finds that federal payment accuracy reporting estimates medicaid improper payments in the tens of billions of dollars annually, reflecting documentation, eligibility, and payment processing vulnerabilities that audits can help detect and correct. The legislature believes that enforcement and recovery activity by medicaid fraud control units demonstrates that a portion of improper payments is the result of prosecutable provider fraud. Strengthened state auditing and program integrity controls would materially support recoveries, exclusions, and deterrence of medicaid fraud.

The legislature further finds that the Medicaid Program Integrity Manual, published by the Centers for Medicare and Medicaid Services, underscores the importance of audits in identifying fraud, waste, and abuse and calls for proactive collaboration between auditors and state agencies to ensure program integrity. Regular, risk informed audits are a recognized control that supports accurate payments, eligibility determinations, appropriate utilization management, and timely corrective action.

The legislature believes that the aforementioned two distinct biennial medical program audits--a contractor and provider audit and a department audit--conducted by the auditor are necessary to ensure financial integrity, compliance with federal and state regulations, appropriate utilization and delivery of services, and the delivery of high-quality health care. These audits will restore transparency, reinforce public trust, and strengthen the efficacy of the State's medicaid managed care program.

Accordingly, the purpose of this Act is to require the auditor to conduct a separate biennial audit for all medicaid health care insurance contractors and the department of human services and its med-QUEST division.

SECTION 2. Chapter 23, Hawaii Revised Statutes, is amended by adding a new part to be appropriately designated and to read as follows:

"Part . REVIEW OF THE STATE medicaid PROGRAM

§23-A Definitions. As used in this part:

"Audit track" means one of the audits established under sections 23-B or 23-C.

"Department" means the department of human services.

"Encounter data" means data submitted by a medicaid health care insurance contractor to the State that describes services provided to members, including but not limited to dates of service, procedure codes, diagnosis codes, service provider identifiers, units of service, and billed and allowed amounts.

"External quality review work product" means the external quality review deliverables produced or retained by contractors or their external quality review vendors.

"Medicaid health care insurance contractor" means any managed care organization, prepaid health plan, or other entity under contract with the department of human services to provide medicaid managed care services, whether directly or through subcontract, including wholly-owned subsidiaries, related parties, or third-party administrators that perform claims adjudication, care management, or network administration functions.

"Overpayment" means any funds disbursed or paid by the State that are in excess of the amount due and payable under program rules, contract terms, or applicable law, including payments made to ineligible providers, for noncovered services, for duplicate claims, or due to calculation errors.

"Program integrity" means the processes, controls, and systems used to detect, prevent, and recover improper payments, fraud, waste, and abuse.

"Protected health information" has the same meaning as defined in title 45 Code of Federal Regulations section 160.103, as may be amended.

"Reconciliation" means the State's enrollment, payment, and licensure records used to validate contractor encounter submissions.

"Risk-based methodology" means a documented approach used by the auditor to prioritize audits based on objective risk indicators including financial exposure, prior findings, complaint and hotline data, contract changes, or other indicators the auditor determines relevant.

"Subcontractor" means any entity that has been delegated contractual authority by a medicaid health care insurance contractor to perform services or functions, including but not limited to utilization management, prior authorization, claims processing, pharmacy benefit management, behavioral health services, long term services and supports, or provider network management.

§23-B Medicaid contractor and provider audit. (a) The auditor shall conduct at least once every two years a management, financial, performance, and data audit of each medicaid health care insurance contractor, their subcontractors, and provider networks under contract with the department. The first audit shall be conducted no later than January 1, 2027, with the first audit report to be submitted to the governor, legislature, and director of human services no later than twenty days prior to the regular session of 2027.

(b) The audits shall:

(1) Examine claims and encounter data, provider enrollment and credentialing practices, network adequacy and provider-to-enrollee metrics, external quality review reports and processes, contract compliance, and program integrity safeguards applied by contractors;

(2) Review financial management, claims adjudication, and contract compliance by the contractor and its subcontractors;

(3) Reconcile contractor enrollee rosters and provider lists with med-QUEST enrollment files and state licensure and credentialing records to identify mismatches, duplicates, inactive records, and misclassified providers;

(4) Reproduce and validate provider-to-enrollee ratio calculations, including sampling frames, weighting methods, and any formulae used to generate plan-level metrics;

(5) Verify encounter data completeness and accuracy and document data sources, reconciliation steps, provider definitions, and inclusion and exclusion criteria;

(6) Conduct an independent performance and data audit of the contractor's external quality review work product, including methodological critique and reconciliation with independent workforce data; and

(7) Produce a public audit report for each contractor and provider audit containing itemized reconciliations, methodological critiques, corrective recommendations, and suggested contractual or statutory remedies.

(c) All medicaid health care insurance contractors and their subcontractors shall cooperate with and assist the auditor as needed in conducting the audit, including promptly providing all records, documents, and any other information requested by the auditor in the course of the audit.

(d) The auditor shall submit a report of its findings and recommendations to the governor, legislature, and director of human services no later than twenty days prior to the convening of the regular session following the year in which the audit is conducted.

Each contractor and provider audit report shall be at the plan level, clearly identify contractor responsibilities, and be made publicly available with redactions only as required by law. Each report shall include an executive summary that identifies which entity or entities are subject to the auditor's recommendations, cross referenced reconciliations where applicable, office of the auditor budget utilization, and a timetable for recommended corrective actions. The auditor shall provide notice to any affected contractor of major findings no later than thirty days before public release.

(e) The auditor may conduct additional audits as deemed necessary based on risk assessments or at the request of the governor, legislature, or director of human services. The auditor may initiate expedited audits for credible allegations of fraud, waste, or abuse. Initiation criteria, scope, and timelines for expedited reviews shall be documented in the auditor's published audit schedule.

§23-C Medicaid department audit. (a) The auditor shall conduct at least once every two years a management and performance audit of the department and its med-QUEST division. The first audit shall be conducted no later than January 1, 2027, with the first audit report to be submitted to the governor, legislature, and director of human services no later than twenty days prior to the regular session of 2027.

(b) The audits shall:

(1) Examine the department's data governance, internal reconciliation processes, functioning of required advisory councils, contracting oversight practices, and actions taken by the department to detect, recover, and prevent improper payments;

(2) Review the department's reporting accuracy to federal and state oversight entities, timeliness of submissions, and evidence of internal validation and reconciliation;

(3) Evaluate med-QUEST division reporting templates, their implementation, and alignment with contractual network adequacy standards;

(4) Review secret shopper survey design, sampling methodology, implementation protocols, data collection instruments, timeliness of execution, result validation and reconciliation, and documentation of corrective actions;

(5) Reproduce, where feasible, a statistically valid sample of secret shopper calls or visits and assess whether secret shopper findings were incorporated into contractor oversight and corrective action;

(6) Assess timely access verification activities, including identification of periods when verification was suspended or materially limited, quantification of verification gaps, and evaluation of their effect on access conclusions;

(7) Review departmental contract oversight practices, provider screening procedures, overpayment detection and recovery processes, and data governance controls; and

(8) Produce a public audit report for the department audit containing itemized reconciliations, methodological critiques, corrective recommendations, and suggested statutory, administrative, or funding remedies.

(c) The department and its med-QUEST division shall cooperate with and assist the auditor as needed in conducting the audit, including promptly providing all records, documents, and any other information requested by the auditor in the course of the audit.

Each department audit report shall be at the state level, clearly identify department responsibilities, and be made publicly available with redactions only as required by law. Each report shall include an executive summary that identifies which entity or entities are subject to the auditor's recommendations, cross referenced reconciliations where applicable, office of the auditor budget utilization, and a timetable for recommended corrective actions. The auditor shall provide notice to the department of major findings no later than thirty days before public release.

(e) The auditor may conduct additional audits as deemed necessary based on risk assessments or at the request of the governor, legislature, or director of human services. The auditor may initiate expedited audits for systemic reporting failures. Initiation criteria, scope, and timelines for expedited review shall be documented in the auditor's published audit schedule.

§23-D Audit methodology; access and evidence; cross-track reconciliation; multi-year audit schedule. (a) The auditor shall perform audits in accordance with generally accepted government auditing standards and shall have authority to review and test contractor and department policies, examine records, interview personnel, use sampling and analytics, and coordinate with federal and state auditors.

(b) For contractor and provider audits under section 23-B, the auditor's access shall include, where applicable and subject to lawful protections, contractor claims systems, adjudication logs, subcontractor agreements, pharmacy benefit management records, external quality review vendor working papers, and other contractor evidence necessary to validate contractor submissions.

(c) For department audits under section 23-C, the auditor's access shall include department enrollment files, med-QUEST division reporting templates and submission logs, internal reconciliation logs, secret shopper instruments and results, interagency correspondence, and other state records necessary to validate departmental reporting and reconciliation activities.

(d) When requested evidence contains protected health information or proprietary contractor materials, the auditor shall obtain appropriate data use agreements and handle the information and materials in accordance with federal and state privacy laws. The auditor shall apply uniform redaction standards and publish a redaction matrix with each public report identifying legal bases for redactions.

(e) The Auditor shall develop and publish a multi-year audit schedule no later than , 2026. The schedule shall identify sequencing, projected audit periods, and estimated completion windows for each audit track. The auditor shall use a risk-based methodology to prioritize audits and shall structure the schedule to include coordination windows that require cross track reconciliation for audits addressing the same reporting periods. For matters that overlap both audit tracks, including reconciliation between contractor encounter submissions and department reporting, the auditor shall coordinate findings across tracks, require joint reconciliation workpapers where necessary, and include cross referenced reconciliations in each relevant report.

§23-E Confidentiality; data protection; redaction protocol. (a) The auditor shall handle protected health information in accordance with federal and state privacy laws and obtain necessary data use agreements for secure handling and limited disclosure for both audit tracks.

(b) The auditor shall adopt and publish a redaction matrix accompanying each public report that documents the legal authority for each redaction and identifies the supplying party.

(c) Where contractor proprietary information is necessary for audit validation but is lawfully protected, the auditor shall require contractors to provide summaries or independent attestations where feasible to preserve audit transparency without disclosing confidential trade secrets.

§23-F Coordination authorization. (a) The auditor may coordinate audit activities and share nonconfidential findings with federal oversight entities and other state auditors when relevant.

(b) For contractor billing practices or claims integrity matters, the auditor shall note federal coordination actions in the contractor audit report under section 23-B. For state reporting, reconciliation, or compliance matters, the auditor shall note federal coordination actions in the department audit report under section 23-C. All coordination actions shall be recorded in the public audit record to the extent permitted by law.

§23-G Response to audit report; follow up reviews. (a) For department audits pursuant to section 23-C, the director of human services shall provide a written response and corrective action plan within sixty days of report issuance. For contractor and provider audits pursuant to section 23-B, contractors shall provide written responses and corrective action plans within sixty days of report issuance and shall deliver remediation certifications to both the auditor and the department where remediation affects State reporting.

(b) Where contractor remediation affects department reporting or federal submissions, the department and contractor shall jointly certify reconciliations and corrective steps within specified timelines established in the auditor's report.

(c) The auditor shall include follow up reviews of prior audit recommendations for both audit tracks to verify implementation. Repeat findings of noncompliance or areas of concerns shall be classified and systemic weaknesses highlighted.

§23-H Rules; guidance. (a) The auditor shall adopt rules pursuant to chapter 91 necessary for the purposes of this part. (b) The auditor shall publish separate guidance annexes for contractor evidence submissions and for department med-QUEST division templates and reconciliation protocols.

(c) The auditor, in consultation with the department, may issue guidance on documentation standards, secure data transfer protocols, evidence submission formats, and analytic specifications. The guidance shall not alter statutory or contractual obligations."

SECTION 3. There is appropriated out of the general revenues of the State of Hawaii the sum of $ or so much thereof as may be necessary for fiscal year 2026-2027 for the auditor to:

(1) Implement a multi-year audit schedule;

(2) Conduct the provider and contactor audit and department audit under sections 23-B and 23-C, Hawaii Revised Statutes, respectively;

(3) Procure necessary expertise or consulting services;

(4) Acquire data analytic tools; and

(5) Support secure data handling.

The sum appropriated shall be expended by the office of the auditor for the purposes of this Act.

SECTION 4. If any provision of this Act, or the application thereof to any person or circumstance, is held invalid, the invalidity does not affect other provisions or applications of the Act that can be given effect without the invalid provision or application, and to this end the provisions of this Act are severable.

SECTION 5. In codifying the new sections added by section 2 of this Act, the revisor of statutes shall substitute appropriate section numbers for the letters used in designating the new sections in this Act.

SECTION 6. This Act shall take effect on July 1, 2026.

INTRODUCED BY:	_____________________________

THE SENATE	S.B. NO.	3304
THIRTY-THIRD LEGISLATURE, 2026
STATE OF HAWAII