An Audit Report on Pain Management Clinic Registration at the Texas Medical Board
June 2013
Report Number 13-037
Overall Conclusion
The Texas Medical Board (Board) has designed and implemented processes for registering pain management clinics since it was given responsibility for that function in fiscal year 2011. However, it should make improvements to ensure that it registers pain management clinics in accordance with statutes, rules, policies, and procedures.
The Board should verify compliance with all eligibility requirements prior to registering pain management clinics. The Board performs required background checks on the owners of pain management clinics. However, it does not perform the required background checks on employees or persons with whom a clinic contracts who may prescribe, dispense, administer, supply, or sell a controlled substance.
In addition, according to Texas Occupations Code, Section 168.102, a pain management clinic may not operate in Texas unless it is owned and operated by a medical director who is a physician who practices in Texas. However, the Board did not verify ownership for 41 (68 percent) of 60 pain management clinics that auditors tested.
Title 22, Texas Administrative Code, Section 195.2, also requires that the Board's executive director either review an application for a pain management clinic certificate or refer the application to a committee of the Board for approval. However, 54 (90 percent) of 60 pain management clinic applications auditors tested had the required approvals, and the remainder did not.
The Board should identify clinics that should be registered as pain management clinics. The Board identifies potential pain management clinics that have not been registered only if it receives a complaint. The Board should conduct other activities to enable it to identify pain management clinics that should be registered. For example, the Board should determine how data in the Department of Public Safety's prescription tracking system could be analyzed to determine whether an unregistered clinic appears to be operating as a pain management clinic.
The Board should ensure that pain management clinics whose certificates have expired discontinue operating until their certificates are renewed. Texas Occupations Code, Section 168.151, specifies that a pain management clinic may not operate until its certificate is renewed. As of January 31, 2013, 111 pain management clinics' certificates were delinquent, which means that their certificates had expired. The Board does not have information regarding whether those 111 pain management clinics are still operating.
The Board should monitor compliance with personnel and patient care requirements for pain management clinics it has registered. The Board does not have a process to ensure that pain management clinics comply with certain personnel and patient care requirements for (1) the percent of time a medical director is on site, (2) the percent of patient file reviews medical directors should perform, and (3) the establishment of protocols and quality assurance procedures for pain management. Not monitoring compliance with those requirements increases the risk that pain management clinic owners may not be appropriately supervising staff and overseeing patient care.
The Board should monitor the transfer or reassignment of pain management clinic ownership. Auditors reviewed ownership information on the certificate applications for a sample of 60 pain management clinics and could not validate that ownership had not changed for 22 (37 percent) of them. That increases the risk that a practitioner who has not been approved by the Board could be operating a pain management clinic.
The Board should strengthen certain information technology controls. The Board's general information technology controls generally ensure the reliability of the data in the systems that support the registration of pain management clinics; however, the Board should improve certain controls over access management, change management for the system the Board uses to track physician and staff data, and password management for all of its systems.
Auditors communicated other, less significant issues to the Board separately in writing.