Exhibit 99.1
Amedisys’
IT Division Profile
12/17/2008
|
1
Table of Contents
|
IT Division Profile
|3
|
Sarbanes Oxley Compliance
|6
|
IT Control Environment
|7
|
IT Division Supports End User Community
|12
|
IT Support Department
|13
|
IT Division Agency Enablement
|14
|
Infrastructure Capacity and Disaster Recovery
|15
|
Independent Third party Reviews
|16
|
2008 Case Mix Refinement Project
|17
|
Future Trends
|20
|
IT Recognition
|21
|
In Summary
|22
|
2
IT Division Profile
Amedisys’ IT Division is comprised of multiple departments, each contributing a unique and critical service, all in support of Amedisys’ overall mission of providing leading quality care to our patients. Outlined below is a list of departments within the IT Division and their primary responsibilities.
|Department
|Responsibilities
|
Enterprise IT Security
|
• System security administration
• Enterprise security risk awareness
• Enterprise security initiatives
|
IT Compliance
|
• Focus on IT Internal Control Environment
• Oversight of SOX Compliance Initiatives
• Liaison and coordination with Internal Audit, External Auditors and third party auditors
• IT Division Risk Awareness
• IT Policy and Procedure Compliance
|
IT Enterprise Metrics/
Project Management Office
|
• Project Management for IT Strategic Initiatives
• Liaison with the Business Units
• IT Enterprise Metrics
• Business Intelligence
|
Applications Development
|
• Software Development
• Quality Assurance
• Database Administration and Maintenance
• Acquisition Support and Data Conversion
• IT Integration
|Networking
|
• Network Infrastructure
• IT Operations
• Telecommunications
• IT Support
• Acquisition Support and Conversion
|IT Strategic Initiatives
|
• Strategic IT Project Development
|
3
IT Division Profile
(Continued)
Amedisys’ IT Division provides IT services to Amedisys to meet the current and future needs of the business. There are multiple recurrent responsibilities involved in supporting a fast growth company. The IT Division is responsible for:
|
4
IT Division Profile
(Continued)
Amedisys employees as a whole must be able to function as a team unit and deliver a high level of performance consistently. We believe that a big part of our success is attributable to the dedication and high engagement of our employees.
Specific to the IT Division, the department has grown from 55 active employees in 2005 to 105 active employees in 2008. The average yearly turnover rate is 10-16% with the exception of a 24% turnover rate in 2006 due to a company-wide reduction in force.
Our maintenance of a 10-16% turnover rate irrespective of the environmental pace allows us to continue to execute our mission. Of all terminations over the past 4 years, 64% were voluntary, 2% transfers and the remaining 34% were involuntary based upon capacity or performance in their job role.
As a Division, we spend a significant amount of time in the recruiting process evaluating candidates. We will continue to hone our recruitment and talent management skills to ensure the Division attracts those most qualified to support a fast growth company.
|
5
Sarbanes Oxley Compliance
Summary of SOX trends
Each year IT-dependent controls over financial reporting are audited as to their design and operating effectiveness. These audits are performed by a combination of consultants, our internal SOX compliance team and our Internal Audit department. The work of these three separate groups includes assessing the IT control environment, which includes IT general and IT application controls.
Amedisys’ IT Division recognizes that the work required to meet the Sarbanes Oxley Act is not merely a compliance process, but rather is an opportunity to establish accountability and responsibility to business requirements. Amedisys’ IT Division has taken a top-down, risk-based approach to SOX designed to help ensure that sufficient and appropriate attention is given to areas of highest risk. As a division, we remain extremely committed to enhancing the control environment.
As can be seen by the graph below, Amedisys has achieved continuing improvements in its design and operating effectiveness of its IT control environment over the past three years. As Amedisys continues to improve on its IT control environment, it looks for ways to add value. For instance, audit improvements year to date can be attributed to hiring an IT Compliance Manager in 2008 who was previously an Information Systems auditor for a large public accounting firm and is a Certified Information Systems Auditor (CISA).
To date, our IT SOX audits have resulted in no significant deficiencies or material weaknesses, with a noted decrease in minor control deficiencies, reflecting the results of our continuous improvement initiatives. Additionally, as of November 30, 2008, our initial 2008 assessment of our IT control environment has noted no significant deficiencies or material weaknesses.
Below summarizes the SOX audit findings to date:
|
6
IT Control Environment
Where to find IT Controls
IT Controls
|
7
IT Control Environment
IT Controls (continued)
Amedisys’ IT Division employs many resources and is supported by IT Senior Management in its effort to achieve and sustain a strong control environment.
|1.
|Entity Level Controls
(Executive Management)
Entity-level controls set the tone and culture of the organization. IT entity-level controls are a key component of the company’s overall control environment.
|•
|
IT business objectives support the organization. Management has prepared strategic plans for IT that align business objectives with IT strategies. Executive Management regularly meets to ensure alignment between the company’s strategy, goals and objectives and the activities of the IT Department.
|•
|
IT management obtains independent reviews of its operations, including policies, procedures, overall IT systems and processes. These independent reviews are conducted by external consultants and provide continual feedback on benchmarking strategies, best practice analyses and opportunities for improvement.
|•
|
Internal Audit performs annual IT audits. They are responsible for reviewing IT activities and controls, including general and application controls as part of their annual Audit Plan. They have a follow up process that requires management to address any noted deficiencies.
|•
|
IT Management has established appropriate Enterprise Risk Management metrics to effectively manage the day-to-day activities of the IT department. Each IT Department is responsible for identifying key metrics to measure and monitor its group. These metrics provide a tool to monitor the overall risk profile of the Amedisys IT Division.
|•
|
Clear lines of authority and responsibility have been established within the IT Division. An organizational chart depicts the structure of the IT Department and assigns authority and responsibility. Specific business operators have been assigned as module owners to ensure the organization’s IT needs are consistently identified at the business unit level.
|
8
|•
|
IT Departments have established Policies and Procedures. IT departmental policies and procedures are reviewed and updated by management as needed to reflect changing business conditions.
|•
|
The Systems Development Life Cycle is used to address complex and significant initiatives. Amedisys employs this process to ensure that projects support strategic business objectives and that resources are effectively implemented throughout the entire life of the project: Initiation Phase, Analysis Phase, System Design and Development Phase, Testing Phase and Implementation (Roll-out) Phase.
|•
|
The Amedisys IT Division has an IT Change Management Board in place. This board is responsible for reviewing and approving any change that might affect IT systems and enterprise resources.
|2.
|Application Controls
(Business Process)
Application controls are embedded within business process applications. Increasingly, business processes are being automated and integrated with complex and highly efficient IT systems. Amedisys’ IT Division enables other business units by providing the services necessary to implement sound application controls where they are requested for inputs, processing and outputs.
In addition to aiding the business units in implementing application controls, Amedisys’ IT Division has taken a proactive approach in implementing audit controls specifically related to the Revenue Stream Data Flow.
|
9
Revenue Stream Audit Controls
|•
|
POC Audit Tool
|¡
|
Identifies if data transfer errors between POC (Clinician’s laptop) and AMS2 (Billing System) exist
|¡
|
Independent recalculation of the HIPPS code (Revenue per Episode)
|•
|
AMS2 Audit Tool
|¡
|
Identifies unauthorized changes to AMS2 (Billing System)
|•
|
ARR Audit Tool
|¡
|
Independent recalculation of Revenue Stream designed to ensure that any IT changes have not impacted the Revenue cycle.
|3.
|IT General Controls
(IT Services)
IT General Controls are embedded within IT processes to provide a reliable operating environment and to support the effective operation of application controls.
|•
|
IT Change Management Controls
Provide a consistent and systematic approach for modifying Amedisys’ IT systems and resources.
|¡
|
A formal request must be approved by a Business Unit Owner for all proposed changes to production application systems before the development process may begin.
|¡
|
A proposed change must be tested by the IT Quality Assurance group.
|¡
|
A proposed change must be tested and approved by the Business Unit requesting the change.
|¡
|
IT Security and IT Compliance groups must review and sign off on all proposed changes.
|¡
|
The IT Change Management Board must review and approve all proposed changes.
|¡
|
Communication and Training is provided to affected end users and IT support.
|¡
|
After any change is implemented, post-release testing is coordinated by the Quality Assurance group for changes that affect the following areas: Revenue Stream, controls over financial reporting, System Holds, Payroll, and any other area deemed necessary by Quality Assurance or the IT Change Management Board.
|
10
|•
|
IT Security Controls
|¡
|
Physical Access - Equipment used in the processing of sensitive data as part of mission critical applications is operated in a restricted environment at all times. Physical Access to the IT data center(s) is restricted to authorized individuals. Only those whose job requires them to have access to the room are given authorization to enter as needed.
|¡
|
Logical Access - Procedures for gaining system access have been established and are followed. Users gaining system access must be approved by an appropriate level. Terminated users are disabled in a timely manner and a review of terminated employees’ access is performed on a periodic basis. Additionally, a full review of system access is performed on an annual basis.
|¡
|
User Security Settings - Procedures are followed to maintain the effectiveness of authentication and access mechanisms. Password settings are in place to prevent unauthorized access. Additionally, inactive terminals are locked automatically.
|¡
|
Network - An Intrusion Detection System and Firewall are in place to protect the network.
|¡
|
Anti-Virus - Anti-Virus software protects systems from viruses.
|•
|
IT Operations Controls
|¡
|
The IT data center(s) is equipped with proper environmental controls.
|¡
|
System performance and capacity are monitored regularly.
|¡
|
Appropriate backup and recovery policies and procedures are executed.
|¡
|
End user incidents are tracked, escalated and resolved by IT Support Department.
|
11
IT Division Supports End User Community
The IT Division provides value to Amedisys in the form of technology-based services. Amedisys’ user community has grown tremendously over the past three years at the corporate and agency level. Outlined below is a four year trend of the user count supported by the IT Division. The IT Division currently supports 15,258 users in 37 states.
Users supported by Amedisys’ IT Division
|
Year
|User Count
|
12/31/2005
|5,944
|
12/31/2006
|6,828
|
12/31/2007
|9,379
|
11/30/2008
|15,258
|
12
IT Support Department
Our IT Support Department provides support to our end user community by handling end user requests such as password resets, hardware and software support, general questions from clinicians, etc. Within the past two years, Amedisys’ IT Division implemented software to aid in tracking end user requests and resolutions. Outlined below is the trend of end user requests handled by IT Support in 2008.
IT Support Requests in 2008
|
13
IT Division Agency Enablement
Amedisys’ IT Division provides an important service to our end user community by providing our agencies the technology infrastructure they require to operate. Agencies served consist of acquisitions and start ups. In 2008, through September 30, Amedisys’ IT Division has enabled the following number of Home Health and Hospice agencies:
Outlined below is a three year trend of Home Health and Hospice agency enablement:
|
14
Infrastructure Capacity and Disaster Recovery
High Level Overview
Amedisys is committed to leveraging technologies from Global IT Leaders. These best-of-breed technologies, which include Microsoft, EMC, IBM and Cisco, form the backbone of the Amedisys Core and Data Processing Platform. This platform not only allows for secure high transactional data processing, but also safeguards financial and business data through various off-site data replication techniques.
Because Amedisys is a fast growth company, it is critical to ensure the organization’s infrastructure has the capacity for growth. This year, Amedisys upgraded its core technical infrastructure. The new core combined with the migration to a Qwest MPLS network will allow for faster integration of acquisitions and internal growth without impacting existing business, as well as take advantage of collaborative technologies such as Voice over IP (VoIP) and Video Conferencing. This new infrastructure will allow the company to double in size with expanded scalability, increased security and greater performance.
Additionally, Amedisys has developed an extensive Disaster Recovery Plan to support the overall Amedisys Business Continuity Plan. The Disaster Recovery Plan was developed in conjunction with industry best practices. A remote, out of region data center hosts replicated data and allows for quick recovery times in the event the Corporate data center should become impaired.
Testing of the Disaster Recovery/Business Continuity Plan is performed annually or more often at the recommendation of the Enterprise Risk Management Steering and Sub-Committees. In September 2008, the Corporate office was faced with a true disaster when Baton Rouge took a direct hit from Hurricane Gustav. Due to the planning and execution from the IT Division, the Corporate office and data center remained fully functional during the entire incident.
|
15
Independent Third Party Reviews
Amedisys’ IT Division strives for continual improvement by periodically assessing the current state of the IT practice and re-aligning IT services as appropriate to improve and support the changing business environment. As part of this continual improvement process, Amedisys’ IT Division periodically hires consultants to perform independent third party reviews. During 2007—2008, the IT Division has contracted with the following firms to perform reviews:
Microsoft Consulting Services – Provides comprehensive technology expertise
|•
|
In 2007, Microsoft Services performed an enterprise review and gap analysis on IT Best Practices for Amedisys’ IT Division and provided recommendations. Based on their analysis the IT Division built an Enterprise Project Management Office and added an SVP of IT to focus on IT Governance.
Third Sky – IT service management consulting, implementation and education
|•
|
In 2008, Third Sky performed an IT Service Management maturity assessment for the IT Division. Additionally, they educated Amedisys’ IT Division on Information Technology Infrastructure Library (ITIL) best practices in an intensive training session. At the end of this training class, twenty-eight management staff took and passed the ITIL Foundation exam. It is the Division’s goal to continue to engrain ITIL practices into the department.
CMA Technology Solutions – an IBM Premier Business Partner and leading provider of technology solutions
|•
|
In 2008, CMA was contracted to perform an enterprise security assessment including a penetration test of the network. Various recommendations were identified and solutions implemented as a result of this review.
Mainline Information Systems – specializes in providing integrated IT solutions
|•
|
In 2008, Mainline performed an Infrastructure assessment on server, desktop, network, storage, database and disaster recovery components within the environment.
Third party consulting reviews
|•
|
The company utilizes an outside third party consulting firm to test its IT controls.
|
16
2008 Case Mix Refinement Project
Overview
In 2007 Medicare announced changes to the Case-Mix and PPS Reimbursement regulations which would go into effect January 1, 2008. This required that Amedisys make programming changes to its billing system to comply with the new regulations. Amedisys’ IT Division implemented the ‘2008 Case Mix Refinement Project’ to address these changes. The changes to the Billing system went through the Systems Development Life Cycle process and Change Management processes discussed earlier in the IT Controls section.
Three separate entities performed testing of this change:
|
17
2008 Case Mix Refinement Project
Testing
In order to perform a complete test of AMS2, patient data was tested as it flows through the system.
Factors
The beginning and ending date of an episode were factors in determining which payment method would be used (old vs. new payment rules). To ensure that claims would follow the appropriate rules, the testing sample was broken down into three claim categories:
1. Claims for episodes beginning in 2007 and ending in 2007
2. Claims for episodes beginning in 2007 and ending in 2008
3. Claims for episodes beginning in 2008 and ending in 2008
|
18
2008 Case Mix Refinement Project
The refinement was tested by several groups.
External Consultants
|•
|
A third party validation was performed. Documentation recommendations were implemented by the respective Business Unit Owners.
Amedisys Internal Audit
|•
|
Internal Audit performed an assurance review, testing patient data as it flowed through the system. They noted no exceptions.
Amedisys Corporate Department Testing
|•
|
Pre-Implementation Testing Results
|¡
|
As items were noted during testing they were addressed by our IT development team and re-tested prior to implementation.
|•
|
Post-Implementation Testing Results
|¡
|
No errors were noted during post-implementation testing.
|¡
|
Management’s Conclusion - On 03/31/2008 Senior Management of Quality Management & Analytics, Revenue Recovery, and Accounting signed off stating that they “approved that the application changes moved into production are working as expected.”
|
19
Future Trends
In addition to current initiatives, Amedisys’ IT Division is continuously planning and identifying future projects. Outlined below are a few initiatives planned for the near future.
Continued IT Control Environment Improvement
|•
|
Each year the Department focuses on enhancing its control environment. Amedisys’ IT Division will utilize the CobiT framework published by ISACA to perform a gap analysis to review for improvement opportunities in the IT Control Environment.
IT Service Management
|•
|
Amedisys’ IT Division will utilize Information Technology Infrastructure Library (ITIL) as a framework towards transforming the IT Division into an IT Service Management shop with a goal of serving the Amedisys business community with superior customer service. In 2008, twenty-eight IT management staff took and passed the ITIL Foundation exam. It is the Division’s goal to continue to engrain ITIL practices into the Department.
IT Operations Center
|•
|
Over the next few months, Amedisys’ IT Division will construct a state of the art IT Operations Center connected to our Corporate Data Center.
|
20
IT Recognition
Ranked in Top 50 most innovative companies
In September 2008, Amedisys was recognized as one of the top 50 most innovative companies in the country by Information Week Magazine. Information Week, a national publication dedicated to defining the business value of technology, recognizes the top 500 Business Technology Innovators each year. Amedisys ranked 44th for the companywide implementation of the Point of Care system. The Point of Care system is a laptop computer technology used by Amedisys’ nurses and therapists to document and monitor each patient’s health condition and plan of care. The system has enhanced the company’s clinical compliance controls and delivered a positive net impact to earnings through improved administrative efficiencies.
“We are pleased to have been recognized as one of the top technologically innovative companies,” stated William F. Borne, Chief Executive Officer of Amedisys, Inc. “Amedisys has committed significant financial and human resources to implement our Point of Care system, which we believe allows our caregivers to deliver a much higher level of care consistency to our patients while benefiting our bottom line through streamlined business processes.”
|
21
In Summary
Amedisys’ IT Division supports a fast growing company through the following initiatives:
|•
|
Strategic Initiatives
|•
|
Control Initiatives
|•
|
Acquisition Initiatives
|•
|
Start up Initiatives
|•
|
Service Initiatives
|•
|
Infrastructure Initiatives
We are committed to creating quantifiable business efficiencies and delivering an enhanced control environment.
|
22