Arizona Department of Health Services
Arizona Department of Health Services
Arizona Department of Health Services
September 2019
Report 19-112
Lindsey A. Perry
Auditor General
The Arizona Office of the Auditor General’s mission is to provide independent and impartial information and
specific recommendations to improve the operations of State and local government entities. To this end, the
Office provides financial audits and accounting services to the State and political subdivisions, investigates
possible misuse of public monies, and conducts performance audits and special reviews of school districts,
State agencies, and the programs they administer.
Audit Staff
Dale Chapman, Director Gina Alvarado
Dot Reinhard, Manager Cameron Doelling
Melinda Gardner, Manager Jessika Hallquist
Austin Lee
Clinton Pullam
Kerri Rundle
Contact Information
Arizona Office of the Auditor General
2910 N. 44th St., Ste. 410
Phoenix, AZ 85018-7271
(602) 553-0333
www.azauditor.gov
MELANIE M. CHESNEY ARIZONA AUDITOR GENERAL JOSEPH D. MOORE
DEPUTY AUDITOR GENERAL DEPUTY AUDITOR GENERAL
LINDSEY A. PERRY
Transmitted herewith is the Auditor General’s report, A Performance Audit and Sunset Review of the
Arizona Department of Health Services. This report is in response to a September 14, 2016,
resolution of the Joint Legislative Audit Committee. The performance audit and sunset review was
conducted as part of the sunset review process prescribed in Arizona Revised Statutes §41-2951
et seq. I am also transmitting within this report a copy of the Report Highlights to provide a quick
summary for your convenience.
As outlined in its response, the Arizona Department of Health Services agrees with all but 2 of the
findings and indicates that it will implement most of the recommendations directed to it.
Sincerely,
reports. Specifically, we found that as of June 2019, 38 Self-reports Open and Shortest
628 days
Longest
of the 70 complaints and self-reports were still open and Total: 37 uninvestigated 173 days 904 days
Recommendations
• The Department should ensure all long-term care facility complaints and self-reports are prioritized, investigated, and
resolved in a timely manner.
• The Legislature should consider forming a task force to study and propose policy options for addressing the
Department’s timely investigation and processing of long-term care facility complaints and self-reports to help ensure
resident health and safety.
We also identified the following gaps in the Department’s data classification, risk assessment, and IT security awareness
training processes:
• Data classification helps to ensure sensitive data is protected from loss, misuse, or inappropriate disclosure. Although
the Department reported that it treats all its data as confidential, it has not inventoried its data and documented the
classification of that data.
• The Department has not conducted a formal Department-wide IT risk assessment since 2015. A risk assessment is a
structured process recommended by credible industry standards and required by ASET policy that at least annually
identifies IT risks within an organization—such as weak security practices, outdated systems, or the lack of a plan for
restoring IT systems following a disaster.
• The Department requires all employees and contractors to complete basic security awareness training when initially
hired and annually thereafter, but is not enforcing this requirement. Specifically, only 20 percent of the Department’s
1,128 employees completed both trainings in 2018.
Recommendations
The Department should:
• Develop and implement web application development policies and procedures that incorporate security into the
development and modification process.
• Develop and implement revisions to its data classification, risk assessment, and security awareness training policies
and procedures to align with ASET requirements and credible industry standards.
Open meeting law—The Department is responsible for more than 30 boards, commissions, committees, councils,
subcommittees, teams, and user or work groups that are subject to open meeting law requirements. We reviewed 3
meetings for a Department-supported committee and council and found that the Department did not consistently comply
with open meeting law requirements.
Recommendation
The Department should develop and implement policies, procedures, training, and an oversight process to help ensure
that the boards, commissions, and councils it supports comply with open meeting law requirements.
Arizona Auditor General Arizona Department of Health Services—Sunset Factors | September 2019 | Report 19-112
17
21
PAGE i
TABLE OF CONTENTS
Issue 4: Department has not enforced requirement that its employees complete security awareness
trainings during onboarding and annually thereafter
Recommendations
Sunset factors 27
Department response
Figures
8
10
Table
Schedule of revenues and expenditures
Fiscal years 2017 through 2019
(Unaudited) 4
PAGE ii
INTRODUCTION
This is the fourth of 4 performance audit reports released as a part of the sunset review of the Arizona Department
of Health Services (Department). The first report (Report 19-107) focused on the Department’s administration of
the Medical Marijuana Program. The second report (Report 19-109) addressed the Department’s processes for
procuring goods and services through contracts, monitoring contracts and agreements to ensure requirements
are met, and processing payments for contracts and agreements. The third report (Report 19-111) addressed
the Department’s administration of the Arizona State Hospital (State Hospital). This fourth report addresses the
statutory sunset factors and includes findings on the Department’s long-term care facility complaint- and self-
report-handling processes, its conflict-of-interest practices, and 4 information technology (IT) security areas.
• State Hospital (587.25 filled FTE positions; 141.50 vacancies)—At the State Hospital, the Department
operates its Civil and Forensic Hospitals, which have a total of 260 beds. The Civil Hospital treats court-
ordered persons with serious mental illness, and the Forensic Hospital treats persons adjudicated through
the criminal justice system that must be restored to competency or are found guilty-except-insane. The
Department also operates the Arizona Community Protection and Treatment Center, a 100-bed facility that
houses and treats court-ordered sexually violent persons. (See Auditor General Report 19-111 for more
information.)
• Office of Continuous Improvement (4 filled FTE positions; 1 vacancy)—This office performs several
functions, including strategic planning and State health assessment and improvement planning, and supports
the Department’s efforts to maintain its public health accreditation, a voluntary accreditation program that
measures a health department’s performance against a set of nationally recognized, practice-focused,
and evidence-based standards.1 It also helps the Department deploy the Arizona Management System,
the Arizona Governor’s Office’s results-driven management system through which State agencies track and
improve their performance.
1
This accreditation is through the Public Health Accreditation Board, a nonprofit organization.
PAGE 1
• Planning and Operations (150 filled FTE positions; 19 vacancies)—This division performs various
operational functions, including business and financial services, human resource management, information
technology services, internal and external audits, and facilities management. This division includes the
Department’s procurement office, which helps Department programs identify and develop contract scopes
of work and terms, and comply with procurement requirements when the goods and services the Department
needs are not available through State-wide contracts (see Auditor General Report 19-109 for more information).
• Policy and Intergovernmental Affairs (16 filled FTE positions; 6.5 vacancies)—This division provides
legal support to the Department’s director and executive team and acts as a liaison between the Department
and the Attorney General’s Office. Additionally, this division conducts rulemakings and develops substantive
policy statements and guidance documents.
• Public Health Licensing (239.75 filled FTE positions; 16.50 vacancies)—This division regulates health
and childcare facilities and providers in Arizona, including nursing homes, daycare centers, and assisted
living facilities. Its responsibilities include inspecting facilities to ensure that they remain in compliance with
regulatory standards and investigating complaints about regulated facilities or professions. Laws 2019, Ch.
133, requires the Department to license and regulate intermediate care facilities, which provide long-term
residential and medical care services for individuals with intellectual disabilities.2 These facilities are required
to obtain State licensure on or before January 1, 2020.3 Although these facilities were federally certified
through the federal Centers for Medicare and Medicaid Services (CMS) and the Department conducted annual
inspections on behalf of CMS, these facilities were previously exempt from State licensure requirements.
• Public Health Preparedness (238 filled FTE positions; 12.25 vacancies)—This division is responsible for
ensuring that the public health system is prepared for public health emergencies. For example, it coordinates
a State-wide system of emergency medical services and provides education to and certification of first
responders. This division also works to prevent and control infectious disease outbreak through programs
such as the Arizona Immunization Program, which offers resources and information on vaccinations.
Additionally, the State Laboratory analyzes infectious and communicable diseases and operates the Newborn
Screening Program, which tests Arizona newborns for over 30 congenital disorders. This division also helps
fulfill the Department’s statutory responsibility to prescribe reasonably necessary measures to ensure that
all retail food or drink in the State is safe for consumption.4 For example, the Department has established
licensure and other regulatory requirements for food establishments as well as food safety requirements. In
addition, although the Department generally delegates the licensure and regulation of food establishments in
the State to the counties, registered sanitarians from this division perform preoperational inspections of food
establishments.
• Public Health Prevention (114.75 filled FTE positions; 16 vacancies)—This division promotes and
supports the health and wellness of Arizonans through various programs and policy development. For
example, the WIC program is a nutrition program that helps families learn about eating well and staying
healthy. The division also works to advance policies that impact chronic disease risk factors and helps
develop approaches for HIV prevention. Through this division, the Department also addresses health systems
development to improve access to primary healthcare.
2
There are 10 State-operated intermediate care facilities and 1 privately operated facility, Hacienda Healthcare (Hacienda).
3
As of August 16, 2019, of the 11 intermediate care facilities, the Department has only licensed Hacienda, which received its license on April 26,
2019. However, on June 25, 2019, the State had issued an intent to revoke Hacienda’s license, and CMS provided notice that it would terminate
the provider agreement with the facility as of July 3, 2019, because of noncompliance with basic health and safety requirements. On August 5,
2019, the Department reported that Hacienda requested a hearing regarding the termination of the CMS provider agreement and was also
working with the Department on an informal settlement agreement. As of August 5, 2019, the Department had yet to revoke the State license,
and the CMS provider agreement had not been terminated.
4
A.R.S. §36-136(I)(4).
Arizona Auditor General Arizona Department of Health Services—Sunset Factors | September 2019 | Report 19-112
PAGE 2
Department-supported boards and commissions
The Department provides support for more than 30 boards, commissions, committees, councils, subcommittees,
teams, and user or work groups. For example, the Department is responsible for:
• The Arizona State Hospital Governing Body, which meets regularly regarding the operation of the State
Hospital.
• The Tobacco Trust Commission, established pursuant to Arizona Revised Statutes (A.R.S.) §36-779, which
serves as an advisory board to the Department on the goals, objectives, and activities of tobacco control
programs that receive tobacco revenue monies from the Department.
• The Emergency Medical Services Council, formed to provide recommendations to the Department regarding
the adoption of standards for training and certification relative to emergency medical services within the State.
Arizona Auditor General Arizona Department of Health Services—Sunset Factors | September 2019 | Report 19-112
PAGE 3
Table 1
Schedule of revenues and expenditures
Fiscal years 2017 through 2019
(Unaudited)
2017 2018 2019
(Actual) (Actual) (Actual)
Revenues
Intergovernmental1 $287,341,251 $276,451,848 $260,752,045
State General Fund appropriations 77,953,264 92,379,360 88,781,663
Licensing and fees 37,063,417 43,690,328 49,599,519
Tobacco sales taxes 28,141,365 27,496,044 25,298,339
Charges for goods and services 11,549,760 10,078,064 10,844,495
Lottery proceeds 9,672,137 9,896,746 10,084,817
Institutional care2 5,352,048 6,207,658 3,173,980
Fines, forfeits, and penalties 2,189,470 5,549,498 5,593,647
Nuclear Emergency Management Fund3 789,663 789,663
Rental income 1,188,879 820,593 928,219
Consumer Restitution and Remediation Revolving 400,600
Fund4
Interest income 772,398 920,566 1,115,965
Other 2,516,935 2,664,577 1,981,774
Total gross revenues 463,740,924 477,345,545 458,944,126
Remittances to the State General Fund5 (5,383,793) (6,530,392) (4,909,320)
Net credit card fees (581,928) (759,528) (622,799)
Total net revenues 457,775,203 470,055,625 453,412,007
Expenditures and transfers
Payroll and related benefits 103,570,374 109,487,134 109,348,083
Professional and outside services 33,210,861 36,067,254 28,506,877
Travel 1,452,793 1,383,479 1,521,110
Food and related expenditures 2,718,787 2,920,588 2,997,963
Aid to individuals and organizations6 249,841,286 237,608,109 229,117,364
Other operating7 53,220,242 57,146,908 54,970,834
Furniture, equipment, and software 3,767,259 4,843,894 3,544,748
Total expenditures 447,781,602 449,457,366 430,005,979
Transfers to the State General Fund8 35,000,000 4,600,000 1,000,000
Transfers to the other agencies9 14,054,964 10,662,957 10,815,303
Total expenditures and transfers 496,836,566 464,720,323 441,821,282
Excess of revenues over (under) expenditures (39,061,363) 5,335,302 11,590,725
Department fund balance, beginning of year 142,252,081 103,190,718 108,700,420
Bureau of Radiation Control fund balance, beginning 174,400
of year10
Fund balance, end of year $103,190,718 $108,700,420 $120,291,145
1
Intergovernmental revenues include a $1.2 million transfer from the Arizona Health Care Cost Containment System (AHCCCS) to the
Department for the costs of prescription medications for persons with a serious mental illness at the State Hospital in both fiscal years 2017 and
2018, as required by Laws 2016, Ch. 117, §17, and Laws 2017, Ch. 305, §12.
2
Institutional care revenues are fees collected from government and/or individuals for services such as providing housing, food, and health. For
example, the State Hospital receives reimbursements from AHCCCS (a federal Title XIX Medicaid Waiver program) for services provided to
AHCCCS-eligible patients and from Arizona counties for services provided to persons after serving their sentences who the courts convicted of
sexually violent crimes and committed to the State Hospital for further confinement and treatment. The institutional care revenues decreased
between fiscal years 2018 and 2019 because the county share of the cost of daily care for sexually violent persons was eliminated. The
decrease in revenues was compensated by an increase in State General Fund appropriations.
3
Nuclear Emergency Management Fund revenues were an appropriation the Department received from this fund for programs relating to off-site
nuclear emergency response plans in accordance with Laws, 2017, Ch. 43, §3.
Arizona Auditor General Arizona Department of Health Services—Sunset Factors | September 2019 | Report 19-112
PAGE 4
4
Consumer Restitution and Remediation Revolving Fund revenues were an appropriation the Department received from this fund for the opioid
abuse prevention campaign in accordance with Laws 2018, Ch. 1, §44.
5
Remittances to the State General Fund are monies the Department remitted to the State General Fund in accordance with statutes. For
example, the Department is required to remit 10 percent of certain license fees such as fees collected for childcare facility and audiologist
licenses. The State Hospital is required to remit all monies collected for examination, evaluation, treatment, and maintenance of patients for
voluntary admissions or federal, State, public, or private medical benefits in accordance with A.R.S. §36-545.02.
6
Aid to individuals and organizations comprises payments for various State and federal grants and agreements. For example, the Department
entered into agreements for distributing benefits from and administering the federal WIC program and Supplemental Nutrition Assistance
Program. In addition, the Department awarded grants for Arizona Biomedical Research Center investigators and entered into an agreement to
establish a smoker’s helpline that were paid for by tobacco tax monies.
7
Other operating expenditures comprise items such as rent, utilities, prescription drugs, medical supplies, and computer-related expenditures
such as software support and maintenance.
8
Transfers to the State General Fund in fiscal years 2017 and 2018 were required by Laws 2017, Ch. 305, §138; Laws 2018, Ch. 276, §139; and
Laws 2018, Ch. 276, §140, to provide adequate support and maintenance for State agencies.
9
Contracts or laws require various transfers to other agencies. For example, during fiscal years 2017 and 2018, the Department transferred
monies to the Arizona Department of Child Safety and the Arizona Early Childhood Development and Health Board for services provided for the
federal Maternal, Infant, and Early Childhood Home Visiting program. In addition, the Department transferred approximately $2.8 million in fiscal
year 2018 from its lottery proceeds to the Arizona Department of Economic Security in accordance with Laws 2017, Ch. 305, §31.
10
The Bureau of Radiation Control’s beginning fund balance represents the Arizona Radiation Regulatory Agency’s (ARRA) July 1, 2017,
beginning fund balance. Effective January 1, 2018, Laws 2017, Ch. 313, eliminated ARRA and transferred its responsibilities to the Department.
The table presents ARRA’s financial activity for all of fiscal year 2018.
Source: Auditor General staff analysis of the Arizona Financial Information System Accounting Event Transaction File for fiscal years 2017 through
2019 and Department-provided information.
Arizona Auditor General Arizona Department of Health Services—Sunset Factors | September 2019 | Report 19-112
PAGE 5
Arizona Auditor General Arizona Department of Health Services—Sunset Factors | September 2019 | Report 19-112
PAGE 6
FINDING 1
5
The Arizona Department of Economic Security (DES), consistent with Arizona Revised Statutes, investigates allegations of abuse, neglect, and
exploitation of vulnerable adults in Arizona, which DES does through its Adult Protective Services program. Although both the Department and
DES investigate allegations of abuse involving vulnerable adults at long-term care facilities, DES determines whether or not the abuse occurred,
and the Department reviews the facility’s practices and policies and procedures to determine if the facility has appropriate safeguards in place
to mitigate the likelihood of abuse occurring. The Department’s online complaint form asks complainants to indicate whether they contacted
any other agencies, including DES Adult Protective Services. Additionally, Department staff are required to ask complainants during intake if
they have contacted other appropriate agencies who could provide assistance, such as DES Adult Protective Services.
6
To meet CMS’ annual survey requirement, the Department’s survey of a facility must be completed within 15.9 months after the last day of the
previous survey for that facility, but the State-wide average for all facilities surveyed must not exceed 12.9 months. According to CMS guidance,
annual surveys involve observations and/or review of areas including dining, infection-control protocols, administering medication, storage of
medication, sufficiency and competency of nursing staff, and resident assessments.
7
The Department is also required to investigate complaints and self-reports for 1 facility that has a State license only and the 10 Arizona Training
Program Intermediate Care Facilities for Individuals with Intellectual Disabilities that have CMS certification only.
8
According to the Department, CMS conducts certification surveys and complaint/incident investigations for long-term care facilities on Arizona’s
Native American Reservations.
PAGE 7
We identified 2 complaint/self-report-handling areas where the Department was not meeting complaint/self-
report-handling requirements. Specifically, the Department did not (1) investigate all complaints and self-reports
as required and (2) prioritize, investigate, and resolve all complaints and self-reports timely.
Figure 1
Department’s long-term care facility complaint and self-report process
!
COMPLAINT
An allegation or concern about a regulatory violation, including resident abuse or neglect submitted by an
individual or another State or federal agency.
üû
RECEIPT/
The investigation
PRIORITIZATION INITIATION INVESTIGATION
results in the
Department gathers The investigation Department must allegation being
information and begins when investigate the substantiated or
assigns a priority level Department staff allegation. unsubstantiated.
based on the severity enter the facility.
of the allegation.
SELF-REPORT
! Incident reported by the facility involving potential regulatory violations, including injuries of an unknown
origin and allegations of abuse. Facilities must submit to the Department a detailed report of their
investigation within 5 days.
Source: Auditor General staff review of CMS’ State Operations Manual Chapters 5 and 7 and the Department’s Division of Public Health
Licensing’s policies and procedures.
9
The Department received a total of 34 complaints for these 5 facilities in calendar years 2017 and 2018. However, we removed 1 complaint from
our review because of inconsistencies in the reported data. For example, the date the complaint was received occurred after the documented
date of investigation.
10
Of the 147 facilities, we judgmentally selected 2 of the 5 facilities in our sample using information from a searchable database available through
the Department’s AZ Care Check website and CMS’ website because of rating discrepancies in each facility’s ratings on the 2 websites.
Specifically, the Department’s AZ Care Check website indicated that both facilities had been given an A rating, yet the CMS website indicated
that the 2 facilities were rated overall as below average and much below average. We selected 3 facilities from a list of 39 facilities that had
undergone and completed surveys (inspections) between December 2018 and May 2019 to ensure we captured facilities from across the State
within our sample. Specifically, of the 5 total facilities selected, 2 were Phoenix area facilities, 1 was a Tucson facility, and 2 were facilities located
in rural areas of the State. In addition, we judgmentally selected 37 of the 172 self-reports submitted by these 5 facilities to ensure our sample
included self-reports from each of the 5 facilities, self-reports that were received throughout both calendar years 2017 and 2018, and self-
reports at different stages of completion (such as closed, pending investigation, or not yet prioritized).
Arizona Auditor General Arizona Department of Health Services—Sunset Factors | September 2019 | Report 19-112
PAGE 8
• Uninvestigated complaints—As shown in Figure 2, as of June 2019, 14 of the 33 complaints, or 42 percent,
had been open between 229 days and 851 days without an investigation. The complaint that had been open
and uninvestigated for 851 days was
Figure 2
submitted by another State agency
and alleged that inadequate staffing Time frames for 38 open and uninvestigated long-term
levels caused a resident, who was care facility complaints and self-reports from calendar
unable to feed or use the restroom years 2017 and 2018
without assistance, to be soaked in As of June 2019
their own urine and have their clothes Complaints Open and Shortest Longest
stained with dried food. Total: 33
uninvestigated 229 days 851 days
14
• Uninvestigated self-reports—As of Average
628 days
June 2019, 24 of the 37 self-reports, Self-reports Open and Shortest Longest
or 65 percent, had been open Total: 37
uninvestigated 173 days 904 days
The Department also provided us with unaudited data from its system in June 2019 showing that 2,767 of the
total 4,958 complaints and self-reports the Department received in calendar years 2017 and 2018 for its long-term
care facilities, or approximately 56 percent, were open and uninvestigated.12
11
According to federal regulations, a report of the results of all investigations is required to be completed and submitted to the Department within
5 working days of the incident alleging abuse, neglect, exploitation, or mistreatment.
12
The Department-provided data for calendar years 2017 and 2018 includes complaints and self-reports from all the State’s long-term care
facilities, including the facilities that were State licensed or CMS certified only, and the facilities that are both State licensed and CMS certified.
The complaint numbers do not include the 1 open and uninvestigated complaint for the Arizona Pioneers’ Home, which a legislative member
requested the Department review, because the Home is not a State-licensed or CMS-certified long-term care facility.
Arizona Auditor General Arizona Department of Health Services—Sunset Factors | September 2019 | Report 19-112
PAGE 9
Although the Department has not established time frames for completing investigations, we identified 1 western
state, California, that has established a time frame for completing investigations in statute. California requires
complaint investigations to be completed within 60 days of receipt of complaints received on or after July 1,
2018.13 Based on our review of the 33 complaints and 37 self-reports, the Department had investigated 20 of the
70, or 29 percent, of the complaints and self-reports. For those 20 complaints and self-reports, the Department
took between 3 and 451 days to investigate the complaint or self-report (see Figure 3).14
Figure 3
Investigation time frame for the 20 investigated long-term care facility complaints and self-
reports from calendar years 2017 and 2018
As of June 2019
Number of complaints and self-reports
6 2 2 10
Source: Auditor General staff analysis of 33 complaints and 37 self-reports the Department received in calendar years 2017 and 2018 for 5
judgmentally selected long-term care nursing facilities.
Although neither the federal government nor the Department has established an overall time frame for investigating
long-term care facility complaints, federal guidance sets time frames for 2 steps within the complaint/self-report-
handling process—complaint/self-report prioritization and investigation initiation. For the 70 complaints and self-
reports we reviewed, we identified some delays in the Department performing both of these complaint-handling
steps. Specifically:
• Department did not prioritize for investigation as required 38 of the 70 complaints and self-reports
we reviewed—According to federal guidance, the Department is required to assign an investigation priority
level to all complaints and self-reports based on the complaint or self-report allegations. This priority level
establishes how quickly the Department must begin its investigation. According to federal requirements,
prioritization should occur within 2 working days from when the complaint or self-report was received, except
those that allege the presence of an immediate jeopardy. Immediate jeopardy complaints and self-reports
must be prioritized immediately for investigation. Even though
13 complaints and self-reports
the Department did not investigate all 70 complaints and self- prioritized after 2 working days
reports in our sample, they all should have received a priority
level. For the 70 complaints and self-reports in our sample, we
found that 32, or 46 percent, were prioritized within 2 working 2
days as required. The Department took longer than 2 working days
days to prioritize 13 complaints and self-reports, and as of June
32 complaints and 25 complaints
2019 had not prioritized the remaining 25 complaints and self- self-reports prioritized and self-reports
reports for investigation between 173 and 904 calendar days within 2 working days not prioritized
after receipt.
• Department did not timely initiate investigations for 15 of the 20 complaints and self-reports we
reviewed—Federal guidelines and State procedures establish time frames for initiating complaint and self-
report investigations based on the priority level assigned (see textbox on page 11). Based on our review of
13
In 2015, California passed a law that required investigations of long-term care facility complaints to be completed within 90 days of receipt. This
time frame was shortened to 60 days effective July 1, 2018. Although the law indicates that an additional 60 days may be allowed to investigate
a long-term care facility complaint, this extension must be documented by California’s Department of Health.
14
Number of days calculated from complaint/self-report receipt to investigation completion.
Arizona Auditor General Arizona Department of Health Services—Sunset Factors | September 2019 | Report 19-112
PAGE 10
Priority levels and associated investigation initiation time frames1
Priority A—These complaints/self-reports allege that an immediate and serious threat to health and safety
has caused or is likely to cause serious injury, harm, impairment, or death and the Department must start its
investigation within 2 working days of the complaint’s or self-report’s receipt.
Priority B—These complaints/self-reports allege actual harm that impairs mental, physical, and/or psychosocial
status, but it does not rise to the level of an immediate and serious threat, or allege that hazards to health and
safety may exist and are likely to cause a significant problem in care and treatment. For these allegations, the
Department must start its investigation within 10 working days of prioritization.
Priority C—These complaints/self-reports allege a situation that harms or may cause harm of limited
consequences, but it does not significantly impair mental, physical, and/or psychosocial functions. These
complaints/self-reports also include those situations negatively impacting care and treatment that may not
include actual harm. For these allegations, the Department must start its investigation within 45 working days
of prioritization.
1
Federal and State guidance also establishes priorities D through H for complaints/self-reports that are of a less serious nature or outside of
the Department’s jurisdiction. Priority D complaints/self-reports are required to be investigated during the next survey. The other categories
do not have a specific time frame for beginning investigations.
Source: Auditor General staff review of CMS’ State Operations Manual Chapter 5 and the Department’s Division of Public Health Licensing’s
policies and procedures.
the 20 complaints and self-reports where the Department initiated an investigation, the Department did not
timely initiate its investigations for 15 of these complaints and self-reports (75 percent). Specifically:
Finally, there are no overall State or federal time frames for how quickly the Department should resolve and
close its long-term care facility complaints and self-reports after completing its investigation, including notifying
the complainant of the results. However, for the 20 investigated complaints and self-reports in our sample, the
Department has not always done so shortly after completing its investigation. Specifically, the Department took
between 42 and 110 calendar days to resolve and close 17 of the 20 investigated complaints and self-reports. In
addition, as of June 2019, the remaining 3 investigations had been open between 19 and 117 calendar days after
the investigation was completed.
15
The Department assigned a priority D to 1 remaining self-report. Federal guidance requires that the complaints and self-reports given a priority
D be done in conjunction with the facility’s next annual survey. The Department met this time frame for this self-report.
Arizona Auditor General Arizona Department of Health Services—Sunset Factors | September 2019 | Report 19-112
PAGE 11
Uninvestigated and untimely long-term care facility complaint and
self-report investigations may put residents at risk
Not investigating complaints and self-reports can put long-term care facilities’ residents at risk of a variety of negative
circumstances, including continued abuse, exploitation, or unsanitary conditions. For example, 1 complaint in
our sample that had been open and uninvestigated for 229 days was made by a nursing student on rotation at
a long-term care facility who alleged residents were being subjected to abuse, neglect, unsanitary conditions,
and inappropriate quality of care/treatment. By not initiating an investigation of this complaint, the Department
had yet to determine whether the allegations were substantiated/unsubstantiated and, if substantiated, also
taking necessary action to address the violation(s), which might include issuing a Statement of Deficiencies and
requiring the facility to develop and implement a Plan of Correction to help ensure the facility addressed the
problems to protect the health and safety of its residents or revoking a facility’s license.
In addition, the longer a complaint or self-report remains uninvestigated, the more likely potential problems or
violations will remain unaddressed. For example, the Department did not begin its investigation for 1 of the
complaints in our sample until 121 working days after it was received. This complaint, which was submitted by a
resident’s mother after the resident was hospitalized following a stroke at the facility, alleged that the resident did
not receive proper medical care including proper medication. Although the Department eventually substantiated
that the facility failed to provide proper medication, by not investigating the complaint in a timely manner, the
Department was unable to ensure the facility timely resolved the specific concern with this patient before the
patient was moved to a different facility. Further, the Department was unable to ensure that the facility timely
established safeguards to prevent this situation from occurring with other residents. Timely investigations may not
only prevent problems from escalating but may also deter future incidents from occurring because preventative
safeguards are more likely to be in place due to the Department’s presence. Additionally, by not investigating
in a timely manner, complainants may question the status of their complaints and the Department’s efforts to
resolve the complaint. For the complaint previously discussed, the resident’s mother called the Department twice
to check on the status of her complaint, once 49 days after submitting the complaint and the other 19 days after
the first call.
• Department has placed priority on annual site surveys—State and federal laws and regulations require the
Department to conduct onsite surveys of long-term care facilities annually.16 These surveys assess a facility’s
compliance with State licensing and federal certification requirements through observation, file reviews, and
interviews, including ensuring that policies are in place to safeguard resident well-being, such as receiving
proper care and medication. According to the Department, it has placed a high priority on performing these
surveys and a lower priority on complaint investigations, in part, because its federal funding is reduced when
it does not meet the annual survey time frame. CMS conducts an annual formal assessment, known as the
State Performance Evaluation, to determine whether State Survey Agencies fulfill their responsibilities, such
as timely conducting site surveys. Based on our review of the Department’s annual CMS State Performance
Evaluations for federal fiscal years 2015 through 2018, the Department met its annual survey time frame in
2017 and nearly met the time frame in 2018.17
Although the Department can complete some complaint and self-report investigations during the annual
recertification survey, CMS guidance states that the Survey Agency (i.e., the Department) should generally take
only 5 complaints on a survey to prevent the survey from becoming an abbreviated complaint investigation.
16
For more information about CMS’ annual survey requirement, see footnote 6, page 7.
17
In federal fiscal year 2018, the Department’s average was 13 months; see footnote 6 for more information about survey requirements.
Arizona Auditor General Arizona Department of Health Services—Sunset Factors | September 2019 | Report 19-112
PAGE 12
In addition, we were told by CMS officials that the Department should be investigating complaints and self-
reports outside of the annual recertification surveys in accordance with the initiation time frame associated
with the assigned priority level. However, the Department reported that it investigates complaints and self-
reports outside of the annual recertification survey only for priority level A complaints and self-reports and
some priority level B complaints and self-reports if there are multiple complaints or self-reports that include
very similar allegations at the same facility. The rest of the complaints and self-reports would likely not be
investigated at all. For example, we found that only 4 of the 20 investigated complaints and self-reports in our
sample were investigated outside of an annual recertification survey.
• Department has yet to allocate the additional staff to complaint-handling activities that it indicated
it would—According to the Department’s 4 annual CMS State Performance Evaluations for federal fiscal
years 2015 through 2018, the Department did not meet the federal time frame for initiating its complaint and
self-report investigations for priority level B complaints and did not meet the federal time frame for priority
level A complaints in 2016 and 2017. The Department is required to develop a plan of improvement for
any deficiencies CMS notes in its review. In its response to the 2015, 2016, 2017, and 2018 reviews sent
to CMS in calendar years 2016, 2017, 2018, and 2019, the Department indicated that it planned to meet
the federally required time frames for priority level B complaints by dedicating 2 staff full time to complaint-
handling activities, including prioritizing and investigating complaints.18 The Department has yet to take this
action. However, during the audit, the Department indicated that it may be able to hire some additional staff
and/or reallocate some staff from another area to specifically handle its long-term care facility complaints.
• Department lacks updated policies and procedures—CMS requires that the Department document in
policies and procedures the process it will take to respond to complaints. The Department has established
complaint-handling policies and procedures. However, they were last updated in 2011 and do not reflect the
Department’s most up-to-date complaint-handling practices. For example, the Department’s policies and
procedures contain contradictory information about the time frame for initiating priority level C complaint and
self-report investigations. Specifically, in one place, the policies and procedures require these investigations
to begin within 45 days and in another place within 45 working days. Further, our review of the Department’s
data for the priority level C complaints and self-reports in our sample found that the Department had calculated
the due date for initiating these investigations using both 45 calendar days and 45 working days.
• Department lacks sufficient management reports—The Department has not developed management
reports that could help it effectively identify complaints and self-reports that are not being investigated or
resolved timely. Although the Department provided us with one bimonthly management report, which can
be broken out by priority level, it provides information for complaints only where the Department has made
some type of change, such as entering a date or other information, in the previous 6 months. Any complaint
that has not had any type of change in more than 6 months would not be reflected on the report. In addition,
it does not provide any information on self-reports or other important information on the status of complaint
investigations, such as the total number of complaints in each step of the complaint-handling process or how
long they have been open. Further, the report does not help the Department effectively identify complaints
that have been investigated and are awaiting final resolution, such as preparing a Statement of Deficiencies,
the facility submitting a Plan of Correction, or closure in the system.
18
The Department indicated in the 2015 plan of improvement that it would assign 5 staff to investigate complaints, but subsequent plans
indicated only 2 staff members would be assigned to complaints.
Arizona Auditor General Arizona Department of Health Services—Sunset Factors | September 2019 | Report 19-112
PAGE 13
• Federal requirement issues—The Department indicated that the directions it has received from CMS have
had some impact on the effective processing of its long-term care complaints and self-reports. Specifically:
○○ Department believes that self-reports do not need to be prioritized for investigation until after
the Department receives a facility’s required 5-day report—The Department indicated that based
on its interpretation of CMS-provided direction, it could wait to decide what priority level to assign to the
self-report, which would determine how quickly it needed to initiate an investigation, until after it received
a facility’s 5-day report. This 5-day report provides information about the incident and the steps the
facility is taking or has taken to address the incident. However, we were told by CMS officials that the
Department should determine a priority level within 2 working days and should not wait until receiving
the facility’s 5-day report. Further, CMS guidance does not make a distinction between the handling of
self-reports and complaints and does not state that the Department can wait to receive a facility’s 5-day
report before prioritizing self-reports for investigation.
Recommendations:
1. To help ensure all long-term care facility complaints and self-reports are prioritized, investigated, and
resolved in a timely manner, the Department should:
a. Continue with its efforts to allocate new or reallocate existing staff to prioritize, investigate, and resolve
long-term care facility complaints and self-reports on a full-time basis.
b. Develop and implement a time frame for completing investigations and closing long-term care facility
complaints and self-reports.
c. Regularly update its policies and procedures to reflect changes in its current long-term care facility
complaint and self-report investigation and resolution practices and CMS requirements.
d. Develop and implement additional bimonthly management reports to monitor whether and how quickly
its long-term care facility complaints and self-reports are being prioritized, investigated, and resolved.
e. Ensure that any complaints and self-reports that are investigated during an annual survey or outside of
the annual survey are initiated and investigated according to the time frames required by the assigned
priority level.
2. The Legislature should consider forming a task force to study and propose policy options for addressing
the Department’s timely investigation and processing of long-term care facility complaints and self-reports
to help ensure resident health and safety. Options to consider include establishing requirements for
investigating all complaints and self-reports, appropriate time frames for conducting investigations of and
closing out long-term care facility complaints and self-reports, and reporting performance metrics to the
Legislature. Task force members should include appropriate stakeholders, such as legislators, Department
representatives, Arizona Department of Economic Security representatives, industry members (i.e., long-
term care facility owners or licensed administrators), patient advocates, and if appropriate, a federal CMS
Arizona Auditor General Arizona Department of Health Services—Sunset Factors | September 2019 | Report 19-112
PAGE 14
representative. Legislation forming the task force should identify task force membership, its overall purpose
and expected outcomes, and deadlines for reporting recommendations to the Legislature.
Department response: As outlined in its response, the Department disagrees with the finding, but will
implement the recommendations directed to it.
Arizona Auditor General Arizona Department of Health Services—Sunset Factors | September 2019 | Report 19-112
PAGE 15
Arizona Auditor General Arizona Department of Health Services—Sunset Factors | September 2019 | Report 19-112
PAGE 16
FINDING 2
19
See A.R.S. §§38-502 and 38-503(A)&(B).
PAGE 17
statutory conflict-of-interest requirements and best practices and increased the risk of Department employees
and public officers not disclosing substantial interests. Specifically, the Department:
• Lacked a special disclosure file as required by statute and a remediation process to address
disclosed conflicts—The Department housed its completed forms in each individual employee’s personnel
file or the State’s online Hiring Express system instead of in a special disclosure file. As a result, the Department
lacked a method to track how many employees—and which employees—disclosed an interest and make
this information available in response to public requests. In addition, the Department had not established a
process to review and remediate any disclosed conflicts.
• Did not require annual disclosures—The Department required only new employees to complete the form
at the time of their hire with the State if the employee indicated that they had a potential conflict in their
onboarding paperwork and any time there was a change, as determined by the employee; it did not require
employees to complete the form annually. Although annual disclosures are not required by statute, doing so
regularly reminds employees/public officers of the importance of complying with conflict-of-interest laws and
helps ensure that potential conflicts of interest are disclosed if an employee’s or public officer’s circumstances
change. For example, several Department employees participated in the Department’s medical marijuana
Dispensary Registration Certificate allocation process, which determines individual(s) authorized to open a
medical marijuana dispensary. Although we did not identify any conflicts of interest listed on employees’ forms
who worked on this process, many of the disclosures were from the early 2000s before medical marijuana
was legal and the Department had implemented the Dispensary Registration Certificate allocation process.
In addition, 2 of the employees’ forms were signed when they worked for other State agencies prior to being
employed by the Department.
• Lacked policies and procedures—Department staff reported that they did not have any Department-
wide policies and procedures related to the State’s conflict-of-interest requirements. Rather, they used the
Arizona State Personnel System Employee Handbook (handbook). However, this handbook has very limited
information regarding conflicts of interest and did not include guidance pertaining to the deficiencies we noted
in the Department’s processes. A better practice would be establishing its own policies and procedures,
which provide employees with an understanding of the Department’s specific processes for meeting the
State’s conflict-of-interest requirements.
20
A.R.S. §38-502(8) defines “public officer” as all elected or appointed officers of a public agency established by charter, ordinance, resolution,
State constitution, or statute. According to the Arizona Agency Handbook, public officers include directors of State agencies and members of
State boards, commissions, committees—whether paid or unpaid.
Arizona Auditor General Arizona Department of Health Services—Sunset Factors | September 2019 | Report 19-112
PAGE 18
• Lacked Department-specific training—Department staff reported that they did not have any Department-
wide initial or periodic refresher training related to conflict-of-interest requirements. Rather, they used the
State’s online training courses. However, Department training would provide employees with an understanding
of how the State’s conflict-of-interest requirements relate to their unique program, function, or responsibilities.
Recommendation:
3. The Department should continue its efforts to develop and implement a new conflict-of-interest disclosure
process and form that will help it comply with the State’s conflict-of-interest requirements and best practices,
such as having public officials and employees annually disclose whether or not they have any substantial
financial and/or decision-making conflicts, and train employees on how the State’s conflict-of-interest
requirements relate to their unique program, function, or responsibilities.
Department response: As outlined in its response, the Department agrees with the finding, and will
implement the recommendation.
Arizona Auditor General Arizona Department of Health Services—Sunset Factors | September 2019 | Report 19-112
PAGE 19
Arizona Auditor General Arizona Department of Health Services—Sunset Factors | September 2019 | Report 19-112
PAGE 20
FINDING 3
Although the Department has established some ASET-required policies and procedures, we identified gaps
in the Department’s IT security processes in the following 4 areas: (1) web application development, (2) data
classification, (3) risk assessment, and (4) security awareness training.
PAGE 21
The Department indicated that as of August 2019, it had conducted an investigation and determined that this
was a security incident and had reported the incident to ASET as required. The Department also reported that its
investigation into the incident was closed.
However, we found that the Department’s web application development policies and procedures are not aligned
with ASET and credible industry standards, which may have prevented confidential data from being exposed.22
Specifically, the Department’s policies and procedures do not require:
• Gathering security requirements—Security requirements should include classifying data in the application
according to its level of confidentiality and defining how the web application will comply with all relevant
regulations and standards related to this data.
• Using up-to-date secure coding standards—These are steps that should be followed to develop a web
application based on ASET requirements and credible industry standards.
• Performing threat modeling during development—Threat modeling involves defining how the application
works, exploring potential vulnerabilities and threats by thinking of possible ways a malicious actor would
attack the application, and then developing mitigating controls for each of the realistic threats identified.
• Reviewing source code—Source code review is the process of manually checking the source code of a
web application for security issues that may not be detected with any other form of analysis or testing.
• Performing security testing before releasing a web application to the live environment—Conducting
security testing, such as scanning or penetration testing, before release helps ensure that web applications
function as intended and do not contain vulnerabilities when released.
The Department also does not require staff who are responsible for developing and modifying web applications
to receive role-based training on how to build secure web applications (see Issue 4, pages 24 through 25, for
more information on role-based training).
21
OWASP is an open community dedicated to enabling organizations to develop, operate, and maintain applications that can be trusted.
22
Open Web Application Security Project. (2014). OWASP testing guide, version 4.0. Bel Air, MD: OWASP Foundation; Open Web Application
Security Project (OWASP). (2017a). OWASP top 10-2017: The ten most critical web application security risks. Bel Air, MD: OWASP Foundation;
Open Web Application Security Project (OWASP). (2017b). Code review guide 2.0. Bel Air, MD: OWASP Foundation; Open Web Application
Security Project (OWASP). (2018). OWASP Proactive controls for developers 3.0. Bel Air, MD: OWASP Foundation. National Institute of Standards
and Technology (NIST). (2013). NIST Special Publication 800-53, Revision 4: Security and privacy controls for federal systems and organizations.
Gaithersburg, MD.
Arizona Auditor General Arizona Department of Health Services—Sunset Factors | September 2019 | Report 19-112
PAGE 22
Recommendations
The Department should:
4. Develop and implement web application development policies and procedures that incorporate security
into the development and modification process, including requirements for gathering security requirements,
using up-to-date secure coding standards, performing threat modeling during development, reviewing
source code, and performing security testing before releasing a web application to the live environment.
5. Require staff who are responsible for developing web applications to regularly receive role-based training
on how to develop and maintain secure web applications.
Department response: As outlined in its response, the Department disagrees with the finding, will
implement recommendation 4, but will not implement recommendation 5.
We reviewed the Department’s data classification policy and procedures and found that although the Department’s
data classification policy is consistent with ASET requirements, the Department’s procedures do not provide
detailed guidance on how to classify data, develop and regularly update a data classification inventory, protect
the data based on risk, and handle confidential data, such as processing sensitive data using only approved
devices. Additionally, even though the Department reported that it treats all of its data as confidential, it has not
inventoried its data and documented the classification of that data. By not formally classifying the data within its
systems, the Department runs the risk that it or its employees may provide external entities with access to data
or other information they do not need and/or should not have.
Recommendation
6. The Department should develop and implement revised data classification policies and procedures
that provide guidance on how to classify its data; require developing a data classification inventory that
is updated regularly; specify requirements for protecting data based on its level of risk; and establish
processes for handling confidential data, such as ensuring that only approved devices process confidential
data.
Department response: As outlined in its response, the Department disagrees with the finding, and will not
implement the recommendation.
23
NIST, 2013.
Arizona Auditor General Arizona Department of Health Services—Sunset Factors | September 2019 | Report 19-112
PAGE 23
We reviewed the Department’s risk assessment policy and procedures and found that they include most
requirements, such as how to conduct a risk assessment, documenting and disseminating risk assessment
results, and implementing a plan of action and milestones to address identified risks. However, they do not provide
detailed guidance on categorizing the Department’s information based on the potential impact to the State or
citizens resulting from disclosure, modification, destruction, or nonavailability of data as required by ASET policy.
Classifying information based on the potential impact resulting from disclosure helps an organization determine
how to prioritize any risks identified during the risk assessment process
Additionally, the Department reported it is no longer following the requirements outlined in its risk assessment
policy and procedures and is instead focusing on implementing the information security controls identified by
the State. In addition, as of July 2019, the Department reported that while it has performed some activities, such
as completing an IT questionnaire where it self-reports how formalized certain IT security activities are within
the Department, including risk assessment, it had not conducted a formal Department-wide risk assessment
since 2015. The Department also indicated it has performed informal IT risk assessments using vulnerability
scanning results, which are used to identify vulnerabilities, or IT security weaknesses within IT systems. Although
vulnerability scanning is important, it is only one practice that should be considered and integrated when creating
and implementing an IT risk assessment process. In addition to vulnerability scanning, IT risk assessments
should also consider, review, and address other IT security threats, such as weak security practices, lack of plans
to address security incidents, and data or hardware loss due to fire or flood.
Recommendations
The Department should:
7. Conduct a formal Department-wide risk assessment at least annually, as required in its risk assessment
policy and procedures, to evaluate, document, and prioritize the areas in the Department’s IT environment
with the highest security risks.
8. Develop and implement a revision to its risk assessment policy and procedures to include categorizing
the Department’s information based on the likelihood of risk and magnitude of harm as required by ASET
policy.
Department response: As outlined in its response, the Department disagrees with the finding, but will
implement the recommendations.
We reviewed the Department’s security awareness training policy, which specifies that all employees and
contractors must complete basic security awareness training when initially hired and annually thereafter, as
required by ASET policy. The Department indicated that this training consists of 2 classes—a basic security
awareness class and a Health Insurance Portability and Accountability Act (HIPAA) privacy and information
security class. However, the Department is not enforcing this requirement because it has not tracked and ensured
that its employees and contractors are completing these trainings as required. Specifically, only 20 percent of
the Department’s 1,128 employees completed both trainings in calendar year 2018.24 The Department reported
24
We were not able to determine a training compliance rate for the Department’s contractors because the Department’s training rosters do not
include contractors’ hire dates.
Arizona Auditor General Arizona Department of Health Services—Sunset Factors | September 2019 | Report 19-112
PAGE 24
that the training-completion percentages for calendar year 2018 were abnormal and that ASET reported to the
Department that their training-completion rate as of June 2019 for the basic security awareness class was 86
percent, which meets ASET’s 80 percent compliance requirement for employees. The Department did not provide
any information on the training-completion rate for its calendar year 2019 HIPAA security class.
Further, the Department’s security awareness training policy requires that all of its employees and contractors
complete acceptable use attestations during security awareness training. Acceptable use attestations are
agreements employees and contractors sign to indicate that they understand and agree with acceptable-use
rules when accessing the Department’s IT systems. However, based on our review of a random sample of 28
employees, 14 did not complete the acceptable use attestation during annual security awareness training in
calendar year 2018.25
We also assessed the Department’s security awareness training policy for compliance with other ASET
requirements, including those related to role-based training. Although the Department’s security awareness
training policy mentions role-based security training, the Department has not developed and implemented
procedures that provide guidance on the type of role-based training it should provide. ASET policy requires that
State agencies develop and implement security awareness training that is specifically geared toward employees’
roles and responsibilities. Additionally, the Department indicated that it has not yet developed and implemented
role-based training but plans on doing so in 2020. Finally, the Department lacks procedures that detail how it
will implement its security awareness program, such as requiring employees and contractors to complete the 2
security awareness classes annually; descriptions of the topic areas that its security awareness training classes
should cover; and how it will communicate security awareness training throughout the year.
Recommendations
The Department should:
9. Develop and implement revised security awareness training policies and procedures that include a process
for ensuring employees and contractors comply with annual basic security awareness and HIPAA training
requirements and acceptable use attestations; specify the role-based training that is required based on
employees’ and contractors’ responsibilities; explain how it will implement its security awareness program;
describe the topic areas that its security awareness training classes should cover; and specify how it will
communicate security awareness training throughout the year.
10. Continue with its plans to develop and implement role-based training.
Department response: As outlined in its response, the Department disagrees with the finding, but will
implement the recommendations.
25
After selecting our random sample of 30 employees, we removed 2 employees because their start dates were in calendar year 2019.
Arizona Auditor General Arizona Department of Health Services—Sunset Factors | September 2019 | Report 19-112
PAGE 25
Arizona Auditor General Arizona Department of Health Services—Sunset Factors | September 2019 | Report 19-112
PAGE 26
FINDING/CHAPTER
SUNSET FACTORSX
In accordance with A.R.S. §41-2954, the Legislature should consider the following factors in determining whether
the Department should be continued or terminated.
In addition to the recommendations in this report, the Department should address the recommendations directed
to it in the other 3 performance audit reports we issued as a part of this sunset review (see Auditor General
Reports 19-107, 19-109, and 19-111).
Sunset factor 1: The objective and purpose in establishing the Department and the extent to which the
objective and purpose are met by private enterprises in other states.
The Department was established to provide and coordinate public health services and programs for the State.
Some of the Department’s key responsibilities include regulating some health-related occupations, such as
emergency medical care technicians; regulating childcare and healthcare facilities; responding to public health
emergencies; and helping control public health epidemics. The Department is also responsible for ensuring
all retail food and drink in the State is safe for consumption. In addition, it administers the WIC program, which
offers nutrition education and breastfeeding support services along with access to supplemental nutritious foods
and operates the State Hospital, which provides long-term inpatient psychiatric care to Arizonans with mental
illnesses who are under court order for treatment.
The Legislature has changed some of the services the Department is responsible for providing. Specifically,
Laws 2015, Ch. 19, transferred the administration of behavioral health services from the Department to AHCCCS
effective June 30, 2016. In addition, Laws 2017, Ch. 313, and Laws 2018, Ch. 234, eliminated ARRA, the Arizona
Radiation Regulatory Hearing Board, and the Arizona Medical Radiologic Technology Board of Examiners and
transferred their authority, powers, duties, and responsibilities to the Department.
We did not identify any states that met the Department’s objective and purpose through private enterprises.
Sunset factor 2: The extent to which the Department has met its statutory objective and purpose and the
efficiency with which it has operated.
Some of our performance audits or other work we conducted as a part of the Department’s sunset review found
that the Department has met its statutory objective and purpose or is improving the efficiency with which it has
operated. Specifically:
• Department appropriately approved and denied applications for the medical marijuana cardholders
we reviewed—We reviewed 50 cardholder applications issued in fiscal year 2018 and found that the
Department issued these in a timely manner and in accordance with statute and rule. In addition, we reviewed
10 additional cardholder applications that were denied in fiscal year 2018 and found that they were denied
for appropriate reasons. Similarly, our review of a sample of 10 cards that were revoked in fiscal year 2018
found that the Department had revoked these 10 cards for appropriate reasons. See Auditor General Report
19-107.
PAGE 27
of Administration’s Arizona Grants Manual. Specifically, for these 3 grants, the Department regularly received
programmatic reports, reviewed invoices and supporting documentation, conducted site visits, and reflected
its grant monitoring process requirements in written policies and procedures.
• Department working to reduce nonionizing and x-ray facility inspection backlog—As indicated in
Sunset Factor 1 (see page 27), the regulatory responsibilities of ARRA were transferred to the Department
in 2017. In our February 2019 follow-up report on our performance audit and sunset review of ARRA, we
reported that the Department was addressing a nonionizing and x-ray facility inspection backlog—which
existed when it received the ARRA responsibilities—by increasing the number of inspector positions while
reducing the number of administrative staff (see Auditor General Report No. 15-115, 36-month follow-up
report). Based on our review of Department inspection backlog data for February 2019 and May 2019, the
Department had reduced the nonionizing facility inspection backlog from 399 to 209 facilities and the x-ray
facility inspection backlog from 698 to 537 facilities between February 2019 and May 2019.
• State Hospital is accredited and has established processes for admitting patients, ensuring
patients receive prescribed treatment, and reporting incidents—Our review of the State Hospital,
which is responsible for caring for patients with mental illnesses, found that since 1970, the State Hospital
has maintained its accreditation through The Joint Commission, a nonprofit organization that accredits
and certifies hospitals nationally. In addition, we reviewed the State Hospital’s processes for admitting
individuals into the State Hospital and for helping to ensure its patients receive their prescribed treatment.
We found that the State Hospital has adhered to its established processes for the admission applications
and patient treatment files we reviewed. Further, we found that the State Hospital had implemented 5 of 6
recommendations from a 2015 independent investigation to improve the State Hospital’s incident-reporting
processes. For example, we found that the State Hospital had established a method to follow incidents from
beginning to conclusion, improved staff training for preparing incident reports, and taken steps to ensure all
required events are reported in an incident report. See Auditor General Report 19-111.
We also identified some areas where the Department should improve its effectiveness. Specifically:
• Department did not timely, consistently, or adequately perform several medical marijuana
regulatory activities and misallocated some Medical Marijuana Fund (Fund) monies—We found
that the Department did not always timely revoke some registry identification cards, did not timely and
consistently inspect facilities or consistently address facility noncompliance, inadequately investigated some
complaints, did not inspect infusion kitchens according to Arizona food safety standards, has not formally
reviewed its Medical Marijuana Program fees, and misallocated some Fund monies. We recommended that
the Department take more timely actions to revoke cards, and develop or update and implement policies and
procedures or processes for several areas including inspections, complaint handling, and allowable use of
Fund monies (see Auditor General Report 19-107).
• Department did not follow some procurement requirements and paid for some services without
ensuring they were provided and contract requirements were met—We found that the Department
did not follow some State procurement requirements for 22 of 25 contracts we reviewed, paid for some
services without ensuring they were provided, and did not consistently provide adequate oversight to ensure
the appropriate use of public monies. For example, we found that the Department incorrectly procured a
professional services contract and paid the contractor more than allowed by statute; did not follow other
key purchasing requirements, such as having conflict-of-interest disclosure statements for all Department
program staff who participated in the procurement for 11 of the 25 contracts we reviewed; did not ensure
17 of the 37 contract requirements we reviewed were met; and paid for unauthorized services or services
without ensuring they were received. We recommended that the Department develop and implement policies
and procedures in various areas and implement a centralized process for overseeing its contract monitoring
efforts (see Auditor General Report 19-109).
• State Hospital should evaluate effectiveness of strategies to reduce assaultive patient behavior—
We recommended that the State Hospital evaluate the effectiveness of its strategies to reduce assaultive
patient behavior (see Auditor General Report 19-111).
Arizona Auditor General Arizona Department of Health Services—Sunset Factors | September 2019 | Report 19-112
PAGE 28
• Department should improve IT security policies, procedures, or practices in 4 areas—Some gaps in
Department IT security processes resulted in the Department exposing statutorily confidential data, including
names, birthdates, and identification numbers. We recommended the Department make improvements in 4
areas: web application development, data classification, risk assessment, and security awareness training
(see Finding 3, pages 21 through 25).
• Department’s grant award evaluation documentation did not meet statutory requirements—Based
on our review of the 3 grants previously discussed (see pages 27 through 28), we found that the Department
did not appropriately document its award decisions for the 3 grants we reviewed. Statute requires that
the Department evaluate grant applications based on evaluation factors specified in the grant solicitation,
maintain a written record of the award decision, and include in its award documentation comments regarding
the applicant’s compliance with evaluation factors.26
The Department uses a color-coded scoring sheet to evaluate whether grant applicants meet application
requirements and should be awarded grant monies, which it includes in its grant files to document award
decisions. However, for 2 of the 3 grants we reviewed, the Department’s scoring sheets were black and white,
so it was not clear what score the applicant received, and the scoring sheets also did not contain comments
or other indications showing whether applicants complied with evaluation factors. In addition, for 1 of the 3
grants we reviewed, the Department evaluated the application against additional criteria not set forth in the
solicitation. Although the grantee submitted documentation with the application that addressed the additional
criteria, statute requires all evaluation factors to be included in the grant solicitation.
During the audit, the Department began taking steps that would address the documentation issue.
Specifically, in July 2019, the Department began requiring its staff to use the Arizona Office of Grants and
Federal Resources’ electronic grants management system to evaluate grant applicants using a numerical
score.27 The Department reported that it plans to use this system to also maintain the award evaluations and
decisions.
Recommendation
11. The Department should continue using the electronic grants management system, and ensure that for all
future grant evaluations conducted using this system its grant evaluations clearly indicate whether grant
applicants complied with all evaluation criteria and that all evaluation factors are included in the grant
solicitation.
Department response: As outlined in its response, the Department agrees with the finding, and will
implement the recommendation.
Sunset factor 3: The extent to which the Department serves the entire State rather than specific interests.
The Department serves the entire State by providing services designed to promote, protect, and improve the
health of Arizona’s citizens and communities. Although some of these services and programs are directed toward
specific populations, they can be accessed by eligible Arizonans across the State. For example, the Department
administers:
• Arizona’s WIC program, which serves eligible women, infants, and children across the State through 21 local
agencies. The program provides participants with breastfeeding support, information about other community
resources, nutrition education, and electronic benefits cards that can be used to purchase food.
• The Smoke-Free Arizona program, which was implemented to protect Arizonans from the harmful effects
of secondhand smoke exposure in most enclosed public places and places of employment. Smoke-Free
Arizona requires that no smoking occur inside or within 20 feet of a place of business, with 7 exemptions,
26
A.R.S. §41-2702(G).
27
ECivis is a State-wide grant management system that centralizes grant activities among State agencies, departments, boards, and
commissions. For example, State agencies such as the Department must use the system to solicit grants, evaluate grant applications, and track
reports the grantee is required to submit after the grant has been awarded, such as financial reports.
Arizona Auditor General Arizona Department of Health Services—Sunset Factors | September 2019 | Report 19-112
PAGE 29
including 1 for outdoor patios that meet specific requirements. The Department provides “No Smoking” signs
free of charge to businesses.
In addition, many of the Department’s services and information can be accessed online. This includes access to the
Department’s inspection records for childcare and healthcare facilities through a searchable database, available
on the Department’s AZ Care Check website; ordering official birth and death certificates; and information about
chronic diseases such as heart disease, stroke, lung disease, diabetes, asthma, and cancer.
However, we found that deficiencies in the Department’s conflict-of-interest process increased the risk of
nondisclosure and recommended that the Department continue its efforts to develop and implement a new
conflict-of-interest disclosure process that will help it comply with the State’s conflict-of-interest requirements
and best practices, such as having public officials and employees annually disclose whether or not they have
any substantial financial and/or decision-making conflicts and training employees on how the State’s conflict-of-
interest requirements relate to their unique program, function, or responsibilities (see Finding 2, pages 17 through
19).
Sunset factor 4: The extent to which rules adopted by the Department are consistent with the legislative
mandate.
We were unable to determine if the Department had fully adopted rules required by statute because the Department
does not maintain a list of all statutes requiring rules and the associated rules that have been adopted. However,
according to the Department, it monitors legislation to identify rules or rule changes that may be needed because
of changes in legislation. In addition, the Department regularly reviews and updates its rules. For example, in
2018, the Department submitted 21 rule review reports, which are reports of existing rules that statute requires
agencies to submit every 5 years to the Governor’s Regulatory Review Council for review to determine whether
any rule should be amended or repealed.28 In addition, according to the Department’s website, as of May 9, 2019,
the Department had 13 rulemakings in process. The Department also addressed rule deficiencies identified in our
2009 sunset review of the Department (see Report No. 09-11), including making changes to childcare facilities
and group homes licensing rules between 2009 and 2018, hearing aid dispensers licensing and regulation rules
in 2014, and tuberculosis control rules in 2018 and 2019.
Sunset factor 5: The extent to which the Department has encouraged input from the public before adopting
its rules and the extent to which it has informed the public as to its actions and their expected impact on
the public.
The Department has provided opportunities for public input before adopting its rules. Specifically, we reviewed 3
rulemakings finalized prior to January 25, 2019, and in all 3 cases, the Department had informed the public of its
rulemaking activities, encouraged the public to provide input on the proposed rules, and informed the public of
the expected impact the proposed rules would have.
The Department is responsible for more than 30 boards, commissions, committees, councils, subcommittees,
teams, and user or work groups that are subject to open meeting law requirements. However, we found that the
Department did not consistently comply with open meeting law requirements for 3 meetings we reviewed: the
April 2019 and May 2019 meetings of the Public Health Prevention Services Block Grant Advisory Committee and
the May 2019 meeting of the Emergency Medical Services Council. Specifically:
• The Public Health Prevention Services Block Grant Advisory Committee did not publicly notice its April 2019
meeting. Further, although both the Public Health Prevention Services Block Grant Advisory Committee and
the Emergency Medical Services Council properly posted online notices for their May 2019 meetings, the
Department has not conspicuously posted a statement on its website stating where all notices of public
meetings would be posted, including the physical and electronic locations, as required by A.R.S. §38-431.02
(A)(1).
28
A.R.S. §41-1056(A).
Arizona Auditor General Arizona Department of Health Services—Sunset Factors | September 2019 | Report 19-112
PAGE 30
• The Public Health Prevention Services Block Grant Advisory Committee did not provide its April 2019
meeting minutes or an audio recording of the meeting to us until 9 business days after the meeting occurred,
as opposed to within 3 business days as required by A.R.S. §38-431.01(D). Meeting minutes and audio
recordings were provided within 3 business days after the meeting for the May 2019 meetings of the Public
Health Prevention Services Block Grant Advisory Committee and the Emergency Medical Services Council.
The Department lacks comprehensive policies and procedures and formalized training for open meeting law
compliance for its boards and commissions and staff members. It also does not have an oversight process to
help ensure that the boards and commissions it supports comply with open meeting law requirements. Further,
the Department’s website does not have a conspicuously posted statement indicating the location for electronic
and physical postings of public notices of meeting and is missing some information about the boards, councils,
and committees it supports, such as information about their purpose, meeting minutes, and agendas. In addition,
some of the entities listed on the Department’s website as being subject to open meeting law are no longer
active, such as the Racial & Ethnic Approaches to Community Health Advisory Council.
Recommendations
The Department should:
12. Develop and implement policies, procedures, and training to help guide the boards, commissions, and
councils it supports; and its staff members’ compliance with open meeting law requirements.
13. Develop and implement an oversight process to ensure that the boards, commissions, and councils it
supports comply with open meeting law requirements.
14. Update its website to include a conspicuously posted statement indicating the location for all electronic and
physical postings of public meeting notices and a complete and accurate listing of all the entities that are
subject to open meeting law along with information about their purposes and where to locate information
about these entities’ public meetings, such as agendas and minutes.
Department response: As outlined in its response, the Department agrees with the finding, and will
implement the recommendations.
Sunset factor 6: The extent to which the Department has been able to investigate and resolve complaints
that are within its jurisdiction.
The Department receives complaints pertaining to the functions it performs. Complaints can be submitted to
the Department in many ways, including electronically. For example, the Department’s Public Health Licensing
Division has an online complaint system for people to submit complaints about the areas it regulates, such
as childcare, long-term care, medical, and residential facilities. In addition, the Department has another online
system, AZ Care Check, that provides the public with Statements of Deficiencies, which include the citations
of noncompliance with laws or rules for substantiated complaints, and the Plan of Correction developed and
implemented by the facility to address the cited deficiencies. According to Department-provided data, the
Department received 14,707 complaints during calendar years 2017 and 2018, for the functions its Public Health
Licensing, Preparedness, and Prevention Divisions perform, including complaints regarding the various facilities
and some medical-related professions it licenses and regulates.
We reviewed the Department’s complaint-handling policies and procedures for the Bureau of Emergency Medical
Services and Trauma System, which is part of the Department’s Preparedness Division. This Bureau is responsible
for establishing, coordinating, and administering a State-wide system of emergency medical services, trauma
care, and trauma registry. It handles complaints against emergency medical care technicians and emergency
medical services providers, such as ground ambulance services and advanced life support base hospitals. We
found that the Bureau’s procedures were detailed and provided step-by-step processes for handling complaints
from start to finish. We also conducted a review of the Department’s complaint-handling processes for 2 additional
areas—medical marijuana facilities and long-term care facilities—and identified the following:
Arizona Auditor General Arizona Department of Health Services—Sunset Factors | September 2019 | Report 19-112
PAGE 31
• Some medical marijuana facility complaints inadequately investigated and monitored—We found
that some complaints were inappropriately determined to not be within the Department’s jurisdiction and,
therefore, were not investigated; some complaints were inaccurately categorized after investigation; and
complaint investigations were not adequately documented. We recommended that the Department update
and implement policies and procedures and staff training for its medical marijuana complaint-handling
process (see Auditor General Report 19-107).
• Some long-term care facility complaints and self-reports not investigated or not investigated
timely—We found that the Department did not investigate or untimely prioritized, investigated, or resolved
some long-term care facility complaints and self-reports. We recommended that the Department investigate
all complaints and self-reports; and ensure that all complaints and self-reports are prioritized, investigated,
and resolved in a timely manner by continuing its efforts to allocate new or reallocate some existing staff
to complaint and self-report prioritization, investigation, and resolution, establishing a time frame for
completing investigations and closing long-term care facility complaints and self-reports, and developing and
implementing additional bimonthly management reports for monitoring whether and how quickly complaints
and self-reports are being prioritized, investigated, and resolved (see Finding 1, pages 7 through 15).
Sunset factor 7: The extent to which the Attorney General or any other applicable agency of State
government has the authority to prosecute actions under the enabling legislation.
A.R.S. 41-192(A)(1) requires the Attorney General to act as the Department’s legal advisor and to provide all legal
services the Department requires.
Sunset factor 8: The extent to which the Department has addressed deficiencies in its enabling statutes
that prevent it from fulfilling its statutory mandate
According to the Department, there are no deficiencies in its enabling statutes that prevent it from fulfilling its
statutory mandate.
Sunset factor 9: The extent to which changes are necessary in the laws of the Department to adequately
comply with the factors listed in this sunset law.
We recommended that the Legislature consider establishing in statute requirements for the Department to
investigate all long-term care facility complaints and self-reports and time frames for completing investigations of
and closing out long-term care facility complaints and self-reports (see Finding 1, pages 7 through 15).
Sunset factor 10: The extent to which the termination of the Department would significantly affect the
public health, safety, or welfare.
Terminating the Department would affect the public health, safety, and welfare if its responsibilities were not
transferred to another entity. The Department’s mission is to promote, protect, and improve the health and wellness
of individuals and communities in Arizona. According to the Department, it manages over 300 programs designed
to address State-wide public health issues. Some examples of the Department’s programs that promote, protect,
and/or improve public health, safety, and welfare include:
• Its regulatory programs that license, inspect, and handle complaints for childcare and healthcare facilities,
including 147 long-term care facilities.
• Its State Laboratory Services, which include identifying and investigating infectious and communicable
diseases.
• Its WIC program, which, according to its website, assists over 145,000 women, infants, and children monthly
with breastfeeding support, information about community resources, nutrition education, and nutrition
assistance.
• Its programs at the State Hospital, which provide inpatient psychiatric care services to court-ordered persons
with mental illnesses.
Arizona Auditor General Arizona Department of Health Services—Sunset Factors | September 2019 | Report 19-112
PAGE 32
Sunset factor 11: The extent to which the level of regulation exercised by the Department compares to other
states and is appropriate and whether less or more stringent levels of regulation would be appropriate.
We found that the level of regulation the Department exercises appears appropriate and is generally similar to
the level of regulation in the 3 other states that we selected for review: Colorado, Nevada, and New Mexico.29
Specifically, we found that Arizona and all 3 of the other states regulate similar areas, including facilities where
care for vulnerable populations is provided, such as childcare and assisted living facilities, and nursing care
institutions. In addition, Arizona and these other states also regulate medical facilities, such as hospitals, hospice
and home health agencies, medical marijuana, and emergency medical services, such as ground ambulance
services. Finally, Arizona and these other states also regulate some health-related occupations, such as emergency
medical care technicians, certain medical radiologic technologists, and speech-language pathologists.
We more closely reviewed the regulation of nursing care, assisted living, and childcare facilities and ground
ambulance services in these 3 states and found:
• Nursing care facilities and assisted living facilities—Arizona and all 3 states require these facilities
to be licensed. Licensure requirements generally include the requirement to have a governing body that is
responsible for the organization, operation, and administration of the facility; a licensed/certified administrator/
manager; administrative and operational policies and procedures; and compliance inspections.
• Childcare facilities—Arizona and all 3 states require childcare facilities to be licensed. In Arizona, a childcare
facility is any facility in which childcare is regularly provided for compensation for 5 or more children not
related to the proprietor. Licensure requirements generally require licensed facilities to undergo inspections
and ensure that their staff complete continuing education and fingerprinting. Also, childcare facilities must
establish health and safety standards, such as those related to immunization requirements and child-to-staff
ratios.
• Ground ambulance services—Arizona and all 3 states regulate ground ambulance services. In Arizona,
ground ambulance services are regulated through a Certificate of Necessity (CON) system. Under this system,
an applicant must apply for and receive a CON through the Department and adhere to the restrictions in the
CON. The CON regulates service areas, response times, and rates and charges to ensure providers are
charging appropriately. Although the 3 other states do not regulate ground ambulance services through a
CON, we found that each state or another governmental entity within each state regulate the same types
of areas included within Arizona’s CON. For example, Arizona and all 3 states have regulations related to
response times, service areas, and certificates of insurance. In addition, Arizona and New Mexico require
that the ambulance service provider be deemed fit and proper. In Arizona, this is defined as having expertise,
integrity, fiscal competence, and resources to provide ambulance service in the service area.
Sunset factor 12: The extent to which the Department has used private contractors in the performance
of its duties as compared to other states and how more effective use of private contractors could be
accomplished.
The Department uses contracts and agreements to help accomplish major functions. Specifically, in fiscal year
2018, the Department spent more than $193 million for more than 1,100 contracts and agreements, which
represented 43 percent of the Department’s fiscal year 2018 expenditures. We compared the Department’s
use of contracted services to those used by 3 states: Colorado, Nevada, and New Mexico. We compared 17
contracted services that the Department deemed key to its mission-critical functions and found that the other
states generally used similar contracted services. For example, Arizona and all 3 states use private contracts
for EMS and Trauma System data registry and storage, HIV patient pharmaceuticals, marketing, and temporary
staffing. There were a few areas where Arizona was contracting for services that none of the 3 other states were
contracting for or only one other state was doing so. For example, Arizona is the only state that contracts for
housekeeping services for state-run, in-patient behavioral health facilities. In addition, only one of the 3 other
29
These states were judgmentally selected (see Appendix A, page a-3).
Arizona Auditor General Arizona Department of Health Services—Sunset Factors | September 2019 | Report 19-112
PAGE 33
states, Colorado, contracts for medical marijuana card printing, software, and supplies, and New Mexico was the
only other state that, like Arizona, contracted for teen pregnancy prevention education services.
We did not identify any additional areas where the Department should consider using private contractors.
However, our performance audit of the Department’s procurement and contract monitoring practices found that
the Department did not follow some State procurement requirements for 22 of 25 contracts we reviewed, paid
for some services without ensuring they were provided, and did not consistently provide adequate oversight to
ensure the appropriate use of public monies (see Auditor General Report 19-109).
Arizona Auditor General Arizona Department of Health Services—Sunset Factors | September 2019 | Report 19-112
PAGE 34
SUMMARY OF RECOMMENDATIONS
FINDING/CHAPTER X
1. Ensure all long-term care facility complaints and self-reports are prioritized, investigated, and resolved in a
timely manner by taking the following actions:
a. Continue with its efforts to allocate new or reallocate existing staff to prioritize, investigate, and resolve
long-term care facility complaints and self-reports on a full-time basis.
b. Develop and implement a time frame for completing investigations and closing long-term care facility
complaints and self-reports.
c. Regularly update its policies and procedures to reflect changes in its current long-term care facility
complaint and self-report investigation and resolution practices and CMS requirements.
d. Develop and implement additional bimonthly management reports to monitor whether and how quickly
its long-term care facility complaints and self-reports are being prioritized, investigated, and resolved.
e. Ensure that any complaints and self-reports that are investigated during an annual survey or outside of
the annual survey are initiated and investigated according to the time frames required by the assigned
priority level (see Finding 1, pages 7 through 15, for more information).
2. Continue its efforts to develop and implement a new conflict-of-interest disclosure process and form that will
help it comply with the State’s conflict-of-interest requirements and best practices, such as having public
officials and employees annually disclose whether or not they have any substantial financial and/or decision-
making conflicts, and train employees on how the State’s conflict-of-interest requirements relate to their
unique program, function, or responsibilities (see Finding 2, pages 17 through 19, for more information).
3. Develop and implement web application development policies and procedures that incorporate security
into the development and modification process, including requirements for gathering security requirements,
using up-to-date secure coding standards, performing threat modeling during development, reviewing
source code, and performing security testing before releasing a web application to the live environment
(see Finding 3, pages 21 through 25, for more information).
4. Require staff who are responsible for developing web applications to regularly receive role-based training
on how to develop and maintain secure web applications (see Finding 3, pages 21 through 25, for more
information).
5. Develop and implement revised data classification policies and procedures that provide guidance on how
to classify its data; require developing a data classification inventory that is updated regularly; specify
requirements for protecting data based on its level of risk; and establish processes for handling confidential
data, such as ensuring that only approved devices process confidential data (see Finding 3, pages 21
through 25, for more information).
PAGE 35
6. Conduct a formal Department-wide risk assessment at least annually, as required in its risk assessment
policy and procedures, to evaluate, document, and prioritize the areas in the Department’s IT environment
with the highest security risks (see Finding 3, pages 21 through 25, for more information).
7. Develop and implement a revision to its risk assessment policy and procedures to include categorizing the
Department’s information based on the likelihood of risk and magnitude of harm as required by ASET policy
(see Finding 3, pages 21 through 25, for more information).
8. Develop and implement revised security awareness training policies and procedures that include a process
for ensuring employees and contractors comply with annual basic security awareness and HIPAA training
requirements and acceptable use attestations; specify the role-based training that is required based on
employees’ and contractors’ responsibilities; explain how it will implement its security awareness program;
and describe the topic areas that its security awareness training classes should cover; and specify how it
will communicate security awareness training throughout the year (see Finding 3, pages 21 through 25, for
more information).
9. Continue with its plans to develop and implement role-based training (see Finding 3, pages 21 through 25,
for more information).
10. Continue using the electronic grants management system, and ensure that for all future grant evaluations
conducted using this system its grant evaluations clearly indicate whether grant applicants complied with all
evaluation criteria and that all evaluation factors are included in the grant solicitation (see Sunset Factor 2,
pages 27 through 29 for more information).
11. Develop and implement policies, procedures, and training to help guide the boards, commissions, and
councils it supports; and its staff members’ compliance with open meeting law requirements (see Sunset
Factor 5, pages 30 through 31, for more information).
12. Develop and implement an oversight process to ensure that the boards, commissions, and councils it
supports comply with open meeting law requirements (see Sunset Factor 5, pages 30 through 31, for more
information).
13. Update its website to include a conspicuously posted statement indicating the location for all electronic and
physical postings of public meeting notices and a complete and accurate listing of all the entities that are
subject to open meeting law along with information about their purposes and where to locate information
about these entities’ public meetings, such as agendas and minutes (see Sunset Factor 5, pages 30 through
31, for more information).
1. Consider forming a task force to study and propose policy options for addressing the Department’s timely
investigation and processing of long-term care facility complaints and self-reports to help ensure resident
health and safety. Options to consider include establishing requirements for investigating all complaints and
self-reports, appropriate time frames for conducting investigations of and closing out long-term care facility
complaints and self-reports, and reporting performance metrics to the Legislature. Task force members
should include appropriate stakeholders, such as legislators, Department representatives, Arizona
Department of Economic Security representatives, industry members (i.e., long-term care facility owners or
licensed administrators), patient advocates, and if appropriate, a federal CMS representative. Legislation
forming the task force should identify task force membership, its overall purpose and expected outcomes,
and deadlines for reporting recommendations to the Legislature. (see Finding 1, pages 7 through 15, for
more information).
Arizona Auditor General Arizona Department of Health Services—Sunset Factors | September 2019 | Report 19-112
PAGE 36
APPENDIX A
We used various methods to review the issues in this performance audit and sunset review. These methods
included interviewing Department staff and reviewing Department statutes and rules and Department-provided
information, including policies, procedures, its responses to the sunset factors, and website information. We
used the following specific methods to meet the audit’s objectives:
• To assess the Department’s compliance with State and federal long-term care facility complaint- and self-re-
port-handling requirements, we reviewed the Department’s policies and procedures, CMS State Operations
Manual chapters 5 and 7, code of federal regulations, and complaint-handling time frame requirements
for 11 western states, and conducted interviews with Department staff and CMS officials.30 In addition, we
reviewed complaints and facility-reported incidents (self-reports) for a judgmental sample of 5 of the 147
CMS certified/state licensed long-term care facilities. We judgmentally selected 2 of the 5 facilities in our
sample using information from a searchable database available through the Department’s AZ Care Check
website and CMS’ websites because of discrepancies in each facility’s ratings on the 2 websites. Specifically,
the Department’s AZ Care Check website indicated that both facilities had been given an A rating, yet the
CMS website indicated that the 2 facilities were rated overall as below average and much below average.
We selected 3 facilities from a list of 39 facilities that had undergone and completed surveys (inspections)
between December 2018 and May 2019 to ensure we captured facilities from across the State within our
sample. Specifically, of the 5 total facilities selected, 2 were Phoenix-area facilities, 1 was a Tucson facility, and
2 were facilities located in rural areas. We reviewed 33 of the 34 complaints pertaining to these facilities that
the Department received in calendar years 2017 and 2018 and judgmentally selected 37 of 172 self-reports
submitted by these 5 facilities in calendar years 2017 and 2018 for review.31 We judgmentally selected these
37 self-reports to ensure our sample included self-reports from each of the 5 facilities, self-reports that were
received throughout both calendar years, and self-reports at different stages of completion (such as closed,
pending investigation, or not yet prioritized).
We also reviewed Department-provided data concerning all long-term care complaints and self-reports the
Department received during calendar years 2017 and 2018. We conducted work to assess the validity and
reliability of this data and determined it to be reasonably complete and accurate for the purposes of this
audit, including reporting the overall number and statuses of complaints and self-reports received by the
Department in calendar years 2017 and 2018. In addition, to determine if Department staff had sufficient
30
We reviewed 11 western states: California, Colorado, Hawaii, Idaho, Montana, Nevada, New Mexico, Oregon, Utah, Washington, and Wyoming.
31
We removed 1 complaint from the sample due to inconsistencies in the reported data. For example, the date the complaint was received
occurred after the documented date of investigation. In addition, 4 of the self-reports in our sample were submitted to the Department in 2016.
We retained these self-reports in our sample because the Department’s system classified them as received in 2017 since their intake was not
completed until 2017.
PAGE a-1
complaint processing guidance, we reviewed complaint-handling policies and procedures for the Bureau of
Emergency Medical Services and Trauma System.
• To assess the Department’s compliance with the State’s conflict-of-interest law requirements and alignment
with best practices, we reviewed statutes, best practices, the Arizona Department of Administration’s State
Personnel Employee Handbook, chapter 8 of the Arizona Agency Handbook, and the conflict-of-interest form
the Department was using.32
• To evaluate the Department’s compliance with the State’s IT security requirements for 4 areas—web application
development, data classification, risk assessment, and security awareness training—we compared the
Department’s policies, procedures and practices to ASET requirements, and credible industry standards.
In addition, we assessed whether its employees had received required IT security awareness training and
HIPAA training in 2018 and selected a random sample of 30 of 1,128 employees as of March 25, 2019, to
determine if they had completed the Department’s required acceptable use attestations in calendar year
2018.33
• To determine whether the Department was continuing to address the nonionizing and x-ray facility inspection
backlog identified in a prior performance audit and associated follow-up reports (see Report No. 15-111,
36-month follow-up report), we analyzed Department-provided inspection backlog data for nonionizing and
x-ray facilities as of February 2019 and May 2019. We conducted work to assess the validity and reliability of
this data and determined it to be reasonably complete and accurate for the purposes of this audit, including
reporting the overall number of nonionizing and x-ray facilities and the status of the inspection backlog as of
May 2019.
• To determine whether the Department appropriately awarded and monitored grants, we judgmentally selected
3 of the Department’s 115 grants that it made payments for in fiscal 2017: SNAP-Ed, Teenage Pregnancy
Prevention/Title V Abstinence Education, and Rural Safe Home/Domestic Violence Prevention. These 3 grants
were selected based on the amount of grant monies awarded and the importance of the grant programs to
the Department’s mission. We reviewed the Department’s grant award files and practices for these grants
and compared them to statutory requirements for awarding grants outlined in A.R.S. §41-2701 et seq and
grant monitoring criteria.34
• To assess the Department’s compliance with the State’s open meeting law requirements, we selected 2
entities from the list of over 30 entities the Department reported supporting that are subject to open meeting
law. We selected these 2 entities based on their mission-critical function, statutory obligations, and availability
of information provided by the Department’s website. We reviewed the notice, agenda, and meeting minutes
and attended 2 public meetings—the May 2019 Public Health Prevention Services Block Grant Advisory
Committee meeting and the May 2019 Emergency Medical Services Council meeting. In addition, we assessed
the Public Health Prevention Services Block Grant Advisory Committee’s compliance with open meeting
law requirements for its April 2019 meeting. We also conducted interviews with staff from the meetings we
attended, reviewed Department open meeting law policies and procedures, and reviewed the Bureau of
Emergency Medical Services and Trauma System’s bylaws.
32
Organization for Economic Cooperation and Development (OECD). (2003). Guidelines for managing conflicts of interest in the public service.
Paris, France. Retrieved 3/27/2019 from http://www.oecd.org/gov/ethics/2957360.pdf; Ethics & Compliance Initiative. (2016). Conflicts of
interest: An ECI benchmarking group resource. Arlington, VA. Retrieved 3/27/2019 from https://www.ethics.org/knowledge-center/conflicts-of-
interest-report/; and Office of the Auditor-General New Zealand. (2007). Managing conflicts of interest: Guidance for public entities. Wellington,
New Zealand. Retrieved 8/6/2019 from https://www.oag.govt.nz/2007/conflicts-public-entities/docs/oag-conflicts-public-entities.pdf.
33
After selecting our random sample of 30 employees, we removed 2 employees because their start dates were in calendar year 2019.
34
State of Arizona Accounting Manual; Arizona Office of Grants and Federal Resources. (2018). Arizona grants manual: Grantor. Phoenix, AZ:
Arizona Department of Administration. Retrieved 8/6/2019 from https://grants.az.gov/grant-manual; National State Auditors Association (NSAA).
(2003). Contracting for services: A National State Auditors Association best practices document. Lexington, KY; and Financial Fraud Enforcement
Task Force (FFETF). (2012). Reducing grant fraud risk: A framework for grant training. Washington, DC: U.S. Department of the Treasury.
Retrieved 6/8/2019 from https://oig.justice.gov/reports/2012/Grant-Fraud-Training-Framework.pdf.
Arizona Auditor General Arizona Department of Health Services—Sunset Factors | September 2019 | Report 19-112
PAGE a-2
• To compare the Department’s regulatory activities and use of private contractors with other states, we selected
3 states—Colorado, Nevada, and New Mexico—for review.35 We reviewed these states’ statutes, rules, and
websites to gather information about their regulatory responsibilities and compare them to Arizona. We also
contacted staff in these 3 states to learn more about their use of contracted services and compared this to
the Department’s use of contracts.36
• To obtain information for the report’s Introduction, we reviewed the Department’s website and Department-
provided information on staffing and budget. We reviewed statutes, rules, and session laws related to
licensure of intermediate care facilities for individuals with intellectual disabilities. Additionally, we compiled
and analyzed information from the Arizona Financial Information System Accounting Event Transaction File for
fiscal years 2017 through 2019 and Department-provided information.
• Our work on internal controls focused on the Department’s processes for handling long-term care facility
complaints; disclosing conflicts of interest; complying with State IT security or credible industry standards
for web application security, data classification, risk assessment, and security awareness training; awarding
and monitoring grants; and complying with open meeting law requirements. Conclusions on this work are
included in Findings 1, 2, and 3 (see pages 7 through 25), and in our responses to Sunset Factors 2 and 5
(see pages 27 through 31). Computerized system information was not significant to our objectives; therefore,
we did not conduct test work on information systems controls.37
We conducted this sunset review in accordance with generally accepted government auditing standards. Those
standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a
reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence
obtained provides a reasonable basis for our findings and conclusions based on our audit objectives.
We express appreciation to the Department’s Director and staff for their cooperation and assistance throughout
the review.
35
These states were judgmentally selected based on regulatory functions and geographic location.
36
We selected Department contracts based on Department input and auditor judgment regarding those contracts that help the Department to
complete its mission-critical functions.
37
Although computerized systems controls were not significant to our objectives, we conducted validation and reliability work on Department-
provided data for the total number of long-term care facility complaints and self-reports received in 2017 and 2018 and determined the data to
be reasonably complete and accurate for the purposes of this audit.
Arizona Auditor General Arizona Department of Health Services—Sunset Factors | September 2019 | Report 19-112
PAGE a-3
Arizona Auditor General Arizona Department of Health Services—Sunset Factors | September 2019 | Report 19-112
PAGE a-4
APPENDIX B
1. The Department makes the following statements related to Finding 1 (see Department’s response pages 2
and 3):
“For example, in Finding 1, the report makes sweeping statements about public health and safety risks in the
context of the auditors’ review of 33 complaints and a judgmental sample of 37 self-reports for 5 long-term
care facilities that are regulated and funded through an agreement with the federal Centers for Medicare and
Medicaid Services (CMS). However, the audit fails to provide context for this analysis and findings. In total,
long-term care facilities represent less than 0.5 percent of the total licensees under Department regulation
and the sample of 5 facilities represents 0.014% of total licensees under the Department’s jurisdiction. The
complaints reviewed represent roughly 0.4% of all complaints received by the Department during the two-
year period under evaluation. Rather than articulating how the Department performs across this wide range of
activities to protect public health and safety and investigating and resolving complaints within its jurisdiction,
the audit findings focus on this very narrow non-representative sample. In addition to only representing a
small subset of the Department’s overall regulatory activity, this sample is even small within the overall long-
term care facility regulation framework, which received a total of 4,959 complaints over the two-year period
in question.”
We disagree with the Department’s characterizations. These statements are misleading, misrepresent the
finding, and attempt to deflect attention from the Department’s failure to investigate, or timely investigate
or resolve, some long-term care facility complaints and self-reports. Specifically:
a. Finding 1 does not include a sweeping statement regarding public health and safety, but instead
clearly indicates that long-term care facility residents may be at risk because of the Department’s
failure to investigate, or timely investigate, some long-term care facility complaints and self-reports. In
fact, the finding provides examples of complaints and self-reports from the sample we reviewed that
include allegations of abuse and neglect and unsanitary living conditions that, if substantiated, either
did or could put facility residents at risk. The failure to investigate these complaints or investigate
them in a timely manner exacerbates this risk (see Finding 1, pages 7 through 15).
b. Section headings and numerous sentences within the finding clearly discuss how our samples were
selected and the specific results of those samples. For example, of the 147 long-term care facilities
that are State licensed/CMS certified, we judgmentally selected 2 of the 5 facilities in our sample
using information from a searchable database available through the Department’s AZ Care Check
website and CMS’ website because of rating discrepancies in each facility’s ratings on the 2 websites.
Specifically, the Department’s AZ Care Check website indicated that both facilities had been given
an A rating, yet the CMS website indicated that the 2 facilities were rated overall as below average
and much below average. We selected 3 facilities from a list of 39 facilities that had undergone and
completed surveys (inspections) between December 2018 and May 2019 to ensure we captured
PAGE b-1
facilities from across the State within our sample. Specifically, of the 5 total facilities selected, 2 were
Phoenix-area facilities, 1 was a Tucson facility, and 2 were facilities located in rural areas of the State
(see Finding 1, footnote 10, page 8).
Although our test work was not designed nor intended to be generalized to the population of
long-term care facilities, the methods we used to select and review complaints and self-reports
provide reasonable assurance that the problems we identified are likely not limited to the facilities
we reviewed. Furthermore, Department-provided data indicates that as of June 2019, 2,767 of the
4,958 long-term care facility complaints and self-reports the Department received in calendar years
2017 and 2018, or approximately 56 percent, remained open and uninvestigated (see Finding 1,
page 9), consistent with our conclusion. The sample of complaints and self-reports we reviewed was
sufficient, in the context of other evidence we provided in the report, to conclude that the Department
did not timely prioritize and initiate some investigations on the complaints and self-reports it received
against long-term care facilities (see Finding 1, pages 10 through 11).
2. The Department makes the following additional statements related to Finding 1 (see Department’s response
page 3):
“We would also note that under this federal program overseeing long-term care facilities, the Department
performs functions for CMS, who sets the expectations, requirements and funding for the program. The
Department is currently in compliance with those requirements as determined by CMS. The audit establishes
expectations for the Department beyond those that exist in its agreement with CMS or as currently established
by the Legislature, including establishing investigation time frames by examining policies in other states
without a comprehensive analysis of those other states’ requirements and available resources. If the State
wants to expand the regulation of this industry beyond the federal requirements, including an evaluation of
Arizona’s long-term care marketplace and resources needed to meet any additional expectations that are
set, the Department would be pleased to participate in those discussions. In summary, we will not detail every
individual concern with how the audit articulates its findings. But as a result of these concerns, we cannot
agree with Finding 1.”
Similar to the Department’s response noted in number 1 above, the Department includes statements in
this portion of its response that misrepresent its compliance with CMS requirements and expectations
regarding its performance related to investigating long-term care facility complaints and self-reports.
Specifically:
a. Although the Department indicates that CMS has determined it is in compliance with CMS
requirements for overseeing long-term care facilities, as indicated in our report, the Department
is not meeting all CMS requirements. The Department is federally required to investigate all
complaints and self-reports and prioritize and initiate investigations of those complaints and self-
reports in a timely manner. As presented in Finding 1, as of June 2019, 38 of the 70 complaints
and self-reports in our sample, or 54 percent, remained uninvestigated between 173 and 904 days
after receipt. We also identified deficiencies with timely prioritizing and initiating investigations in
accordance with CMS requirements for the complaints and self-reports in our sample, similar to
CMS findings. Specifically, as indicated in our report, according to the Department’s 4 annual CMS
State Performance Evaluations for federal fiscal years 2015 through 2018, the Department did not
always meet the federal time frame for initiating its complaint and self-report investigations (see
Finding 1, pages 9 through 11, and 13).
b. Performance audits provide findings and recommendations to help management improve program
performance and operations. These recommendations should not be limited to what is required only
by State or federal laws and regulations, but include recommendations to help improve performance
and protection of the public health and safety—and in this case, residents of long-term care facilities.
As a result, our report provides meaningful, common-sense recommendations, such as establishing
a time frame for completing investigations or developing and implementing additional management
reports for Department management review and analysis that will help ensure that all complaints and
Arizona Auditor General Arizona Department of Health Services—Sunset Factors | September 2019 | Report 19-112
PAGE b-2
self-reports are prioritized, investigated, and resolved in a timely manner (see Finding 1, page 14). In
addition, we include information on other states when appropriate to provide helpful benchmarking
information for the audited agency, policymakers, and other users of our performance audit reports.
As indicated in Appendix A of our report (see page a-1), we researched whether 11 western states had
complaint-handling time frames and identified 1 state, California, that statutorily requires complaint
investigations to be completed within 60 days of receipt (see Finding 1, page 10).
3. The Department makes the following statements related to Finding 3 (see Department response pages 3
through 4):
“The Department also cannot agree with Finding 3. We take seriously our obligation to protect critical,
sensitive and confidential data. ADOA-ASET is the Arizona office responsible for setting the technology,
security, privacy, and communication strategies, policies, and procedures for the state of Arizona. ASET’s
guiding principles include Driving best-in-class, enterprise-wide security standards through the office of
the state Chief Information Security Officer (CISO) in an effort to ensure that all cyber security initiatives are
secure and compliant. To this end, ASET provides leadership, standards and governance across all of state
government, leveraging its experts to set expectations and monitor enterprise security controls and state
agency activities. The report misrepresents our IT security processes, including using inaccurate terminology
to describe activities in the report (e.g., use of the term “breach”, which did not occur, but was implied to
have occurred in the report). The incident referenced in the audit involved a multistep, complicated process
in which an individual would have needed specific knowledge to access the information. Contrary to what is
reported in the audit, ADHS’s web application development policies and procedures are aligned with ASET
and credible industry standards.”
“In addition, the audit reports that the Department has not conducted a formal Department-wide IT risk
assessment since 2015. This misleading statement fails to explain that ASET conducted a state-wide risk
assessment several years ago and determined that Arizona could greatly reduce IT risks by implementing
enterprise controls. The Department and other states agencies have focused on implementing these controls
over the past few years, including the establishment of RiskSense, a tool used for IT vulnerability management
and risk scoring. The RiskSense platform includes the assignment of a safety score which is used to evaluate
and monitor each agency’s risk exposure. Governor Ducey and ASET set a goal for each state agency
to maintain a score of 725 or above; the Department currently exceeds this goal. In addition, the score is
updated at least twice a month and Department leadership reviews its performance weekly and allocates
resources as needed to address identified issues. Now that these controls have been implemented, the
Department plans to return to performing annual risk assessment. The Department believes ASET provides
sufficient and appropriate leadership on IT security issues and will continue to work collaboratively with ASET
to maintain its agency’s information security. It will also implement recommendations that will continue to
enhance its procedures.”
We disagree with some of the Department’s statements included in the above portion of its response.
They are inaccurate or are an attempt to minimize the importance of our findings and recommendations
that are provided to help improve the Department’s processes for safeguarding critical, sensitive, and
confidential data and reduce the risk of unauthorized access to this data. Specifically:
a. The Department states that by using the term “breach” in Finding 3, our report implies that a breach
occurred. This statement misrepresents our finding in this area. We use the term “breach” to explain
a statutory requirement relating to the unauthorized access of confidential data, not to describe the
incident. Specifically, statute states that it is a class 1 misdemeanor for any person, including an
employee or official of the Department or another State agency or local government, to breach the
confidentiality of this information. However, in discussing the unauthorized access that occurred,
we refer to it as a security weakness and a security incident, not a breach. Similarly, based on its
own investigation of what we found and reported to the Department, the Department used similar
language in reporting that a security incident had occurred (see Finding 3, pages 21 through 22).
Arizona Auditor General Arizona Department of Health Services—Sunset Factors | September 2019 | Report 19-112
PAGE b-3
b. The Department indicates that the security incident we report involved a multistep, complicated
process. We disagree. Obtaining access to the information involved only a few steps, including
a common step that an attacker would initiate. Specifically, as stated in the report, a concerned
member of the public informed us of the security weakness on a Department website that allowed
them unauthorized access to statutorily confidential data. Based on the information provided, we
were able to obtain unauthorized access, and it was not complicated to do so. Additionally, the
Department’s response downplays the significance of the security weakness found during the audit.
c. The Department indicates that its web application development policies and procedures are aligned
with ASET and credible industry standards. We disagree. Based on the documents the Department
provided for our review and as indicated in our report, its policies and procedures are not aligned with
ASET and credible industry standards because they do not require gathering security requirements,
using up-to-date secure coding standards, performing threat modeling during web application
development, and performing security testing (see Finding 3, page 22).
d. The Department indicates that our statement regarding when it last conducted a formal Department-
wide risk assessment is misleading. However, based on the documents and information the
Department provided, we accurately report that the Department has not performed a Department-
wide risk assessment since 2015. In addition, despite other activities the Department is performing
as mentioned in its response, ASET policy requires the Department to conduct a Department-wide
risk assessment at least annually (see Finding 3, pages 23 through 24).
4. Finally, as indicated in its response, the Department also does not plan to implement recommendations 5
and 6 from our report (see Department response page 7).
We disagree with the Department’s determination to not implement recommendations 5 and 6. By not taking
steps to implement these recommendations, the Department will not be doing everything it can and/or is
required by ASET policy to safeguard its IT systems and data, thus increasing the risk of inappropriate or
unauthorized access to these systems and data. Specifically, Recommendation 5 focuses on requiring its
web application development staff to receive regular role-based training. Although its staff have received
training, by not requiring its staff to regularly receive role-based training, the Department risks its staff
not being up to date on secure coding practices or IT security threats. Recommendation 6 focuses on
updating its data classification policies and procedures to provide guidance on how to classify its data
and creating and updating a data classification inventory, as required by ASET and recommended by
credible industry standards. As indicated in our report, data classification helps to ensure sensitive data
is protected from loss, misuse, or inappropriate disclosure (see Finding 3, page 23).
Arizona Auditor General Arizona Department of Health Services—Sunset Factors | September 2019 | Report 19-112
PAGE b-4
AGENCY RESPONSE
DEPARTMENT RESPONSE
ARIZONA DEPARTMENT
OF HEALTH SERVICES
Thank you for the opportunity to respond to your audit on our statutory sunset factors. We
appreciate the role that the Auditor General plays in supporting the legislative Sunset
Review process in providing information used to evaluate whether departments are
meeting their statutory obligations and continue to be needed in state government.
The Arizona Department of Health Service (ADHS or the Department) serves a critical role
in promoting, protecting and improving the health and wellness of all Arizonans as we
provide public health services throughout their entire lifecycle. The Department, through
approximately 300 programs it administers, serves all 7.1 million Arizonans. Many people
may not recognize the impact that public health has on every facet of our daily lives. There
are many ways we help improve the lives of all Arizonans, including:
• Protecting the health and lives of all Arizonans by controlling epidemics
• Educating people on healthy habits, such as nutritious eating and getting physical
activity
• Assisting people with tobacco cessation and disease self-management
• Ensuring safe food and water
• Testing virtually all newborns for metabolic diseases and serving as the State's only
reference laboratory
• Improving access to physical and behavioral health
• Monitoring hospitals, nursing homes, assisted living centers, ambulances, childcare
centers and other licensed facilities and professionals
• Documenting every vital event in Arizona including all births, deaths and adoptions
We also operate the Arizona State Hospital (ASH), which provides high acuity, inpatient
psychiatric services to our state's most vulnerable residents.
150 North 18th Avenue, Suite 500, Phoenix, AZ 85007-3247 P j 602-542-1025 F j 602-542-0883 WI azhealth.gov
Health and Wellness for all Arizonans
Ms. Lindsey Perry, Auditor General
September 23, 2019
Page 2
ADHS is proud to be a part of Arizona's strong public health system, providing safe parks,
clean air, clean water, safe meals and a healthy environment to raise our families. The
work we do adds value to our state and brings health and wellness to all Arizonans. ADHS
has been recognized nationally as a leader in public health initiatives and is accredited by
the National Public Health Accreditation Board (PHAB).
More information about the Department's objectives and anticipated accomplishments are
detailed in the ADHS Fiscal Year 2020 Strategic Plan and the Department's FY18 Annual
Report, which is posted online.
We appreciate your report highlighting the important work we do as part of our mission of
supporting Health and Wellness for all Arizonans and that the Department has met its
statutory objective and purpose, and is improving the efficiency with which it has operated.
As we have noted in prior communications, we are committed to continuous improvement
and will undertake activities that will enhance our processes. However, we are concerned
that how your findings are conveyed does not provide adequate context for readers and
legislators and could result in misinterpretation of the findings and our overall
performance. Because the purpose of the Sunset Review process is to provide overall
perspective on the Department's performance to allow legislators to "review the purpose
and functions of state agencies to determine whether continuation, revision, consolidation
or termination is warranted," 1 overall context is particularly important in audits that
support Sunset Reviews. Therefore, while we will employ strategies that will address the
findings, you will see in our response that there are certain findings with which we cannot
agree.
For example, in Finding 1, the report makes sweeping statements about public health and
safety risks in the context of the auditors' review of 33 complaints and a judgmental sample
of 37 self-reports for 5 long-term care facilities that are regulated and funded through an
agreement with the federal Centers for Medicare and Medicaid Services (CMS). However,
the audit fails to provide context for this analysis and findings. In total, long-term care
facilities represent less than 0.5 percent of the total licensees under Department regulation
and the sample of 5 facilities represents 0.014% of total licensees under the Department's
jurisdiction. The complaints reviewed represent roughly 0.4% of all complaints received
by the Department during the two-year period under evaluation. Rather than articulating
how the Department performs across this wide range of activities to protect public health
and safety and investigating and resolving complaints within its jurisdiction, the audit
findings focus on this very narrow non-representative sample. In addition to only
1
Handbook on Arizona's Sunset & Sunrise Review, Fifty-Fourth Legislature, 2019-2020.
Douglas A. Ducey I Governor Cara M. Christ, MD, MS I Director
150 North 18th Avenue, Suite 500, Phoenix, AZ 85007-3247 PI 602-542-1025 F 1602-542-0883 WI azhealth.gov
Health and Wellness for all Arizonans
Ms. Lindsey Perry, Auditor General
September 23, 2019
Page 2
representing a small subset of the Department's overall regulatory activity, this sample is
even small within the overall long-term care facility regulation framework, which received
a total of 4,959 complaints over the two-year period in question.
We would also note that under this federal program overseeing long-term care facilities,
the Department performs functions for CMS, who sets the expectations, requirements and
funding for the program. The Department is currently in compliance with those
requirements as determined CMS. The audit establishes expectations for the Department
beyond those that exist in its agreement with CMS or as currently established by the
Legislature, including establishing investigation time frames by examining policies in other
states without a comprehensive analysis of those other states' requirements and available
resources. If the State wants to expand the regulation of this industry beyond the federal
requirements, including an evaluation of Arizona's long-term care marketplace and
resources needed to meet any additional expectations that are set, the Department would
be pleased to participate in those discussions. In summary, we will not detail every
individual concern with how the audit articulates its findings. But as a result of these
concerns, we cannot agree with Finding 1.
The Department also cannot agree with Finding 3. We take seriously our obligation to
protect critical, sensitive and confidential data. ADOA-ASET is the Arizona office
responsible for setting the technology, security, privacy, and communication strategies,
policies, and procedures for the state of Arizona. ASET's guiding principles include Driving
best-in-class, enterprise-wide security standards through the office of the state Chief
Information Security Officer {CISO) in an effort to ensure that all cyber security initiatives are
secure and compliant. To this end, ASET provides leadership, standards and governance
across all of state government, leveraging its experts to set expectations and monitor
enterprise security controls and state agency activities. The report misrepresents our IT
security processes, including using inaccurate terminology to describe activities in the
report (e.g., use of the term "breach", which did not occur, but was implied to have occurred
in the report). The incident referenced in the audit involved a multistep, complicated
process in which an individual would have needed specific knowledge to access the
information. Contrary to what is reported in the audit, ADHS's web application
development policies and procedures are aligned with ASET and credible industry
standards.
In addition, the audit reports that the Department has not conducted a formal Department
wide IT risk assessment since 2015. This misleading statement fails to explain that ASET
conducted a state-wide risk assessment several years ago and determined that Arizona
150 North 18th Avenue, Suite 500, Phoenix, AZ 85007-3247 P 1602-542-1025 FI 602-542-0883 WI azhealth.gov
Health and Wellness for all Arizonans
Ms. Lindsey Perry, Auditor General
September 23, 2019
Page 2
could greatly reduce IT risks by implementing enterprise controls. The Department and
other states agencies have focused on implementing these controls over the past few years,
including the establishment of RiskSense, a tool used for IT vulnerability management and
risk scoring. The RiskSense platform includes the assignment of a safety score which is
used to evaluate and monitor each agency's risk exposure. Governor Ducey and ASET set a
goal for each state agency to maintain a score of 725 or above; the Department currently
exceeds this goal. In addition, the score is updated at least twice a month and Department
leadership reviews its performance weekly and allocates resources as needed to address
identified issues. Now that these controls have been implemented, the Department plans
to return to performing annual risk assessment. The Department believes ASET provides
sufficient and appropriate leadership on IT security issues and will continue to work
collaboratively with ASET to maintain its agency's information security. It will also
implement recommendations that will continue to enhance its procedures.
As discussed above, the wording and issue framing of the audit causes us concern in several
instances; we have noted others in our detailed response. Again, we appreciate your
recommendations and will implement them, where there is agreement, but we do not
believe the audit findings provide a full picture of our overall performance.
We appreciate your partnership and look forward to continuing to advance Health and
Wellness for all Arizonans.
Sincerely,
Cara M. Christ, MD
Director
Attachment
150 North 18th Avenue, Suite 500, Phoenix, AZ 85007-3247 PI 602-542-1025 FI 602-542-0883 WI azhealth.gov
Health and Wellness for all Arizonans
Finding 1: Department's failure to investigate, or timely investigate or resolve, some long
term care facility complaints and self-reports may put residents at risk
Recommendation 1: To help ensure all long-term care facility complaints and self-reports
are prioritized, investigated, and resolved in a timely manner, the Department should:
Recommendation 1 a: Continue with its efforts to allocate new or reallocate existing staff to
prioritize, investigate, and resolve long-term care facility complaints and self-reports on a
full-time basis.
Department Response: The finding of the Auditor General is not agreed to, but the
recommendation will be implemented.
Department Response: The finding of the Auditor General is not agreed to, but the
recommendation will be implemented.
Response explanation: The Department is currently revising its policies and procedures
to account for this recommendation. The Department anticipates completion of this effort
by April 2020.
Recommendation 1c: Regularly update its policies and procedures to reflect changes in its
current long-term care facility complaint and self-report investigation and resolution practices
and CMS requirements.
Department Response: The finding of the Auditor General is not agreed to, but the
recommendation will be implemented.
Response explanation: The Department is currently revising its policies and procedures
to account for this recommendation. The Department anticipates completion of this effort
by April 2020.
Recommendation 1 e: Ensure that any complaints and self-reports that are investigated
during an annual survey or outside of the annual survey are initiated and investigated
according to the time frames required by the assigned priority level.
Department Response: The finding of the Auditor General is not agreed to, but the
recommendation will be implemented.
Recommendation 2: The Legislature should consider forming a task force to study and
propose policy options for addressing the Department's timely investigation and processing
of long-term care facility complaints and self-reports to help ensure resident health and
safety. Options to consider include establishing requirements for investigating all complaints
and self-reports, appropriate time frames for conducting investigations of and closing out
long-term care facility complaints and self-reports, and reporting performance metrics to the
Legislature. Task force members should include appropriate stakeholders, such as
legislators, Department representatives, Arizona Department of Economic Security
representatives, industry members (i.e., long-term care facility owners or licensed
administrators), patient advocates, and if appropriate, a federal CMS representative.
Legislation forming the task force should identify task force membership, its overall purpose
and expected outcomes, and deadlines for reporting recommendations to the Legislature.
Response explanation:
Department Response: The finding of the Auditor General is agreed to and the audit
recommendation will be implemented.
Response explanation: The Department will complete development, and implement the
conflict of interest disclosure process, by April 1, 2020.
Department Response: The finding of the Auditor General is not agreed to, but the
recommendation will be implemented.
Response explanation: ADHS' web application development practices align with ASET's
policies and credible industry standards; however, our procedures could be
enhanced. ADHS will review and update its web application development procedures to
ensure that security is fully incorporated and implement any additional areas mentioned
that aren't currently being performed (such as threat modeling).
Recommendation 5: The Department should require staff who are responsible for
developing web applications to regularly receive role-based training on how to develop and
maintain secure web applications.
Department Response: The finding of the Auditor General is not agreed to and the
recommendation will not be implemented.
Response explanation: Staff responsible for developing web applications receive ASET
Secure Coding training. Developers that are not FTE's are required to have this
knowledge and interviews include this type of questioning.
Department Response: The finding of the Auditor General is not agreed to and the
recommendation will not be implemented.
Response explanation: ADHS has a Data Classification policy that is consistent with
State of Arizona policy. Data is classified at the system level. ASET is in the process of
working with an agency to pilot a third party tool that will categorize and classify data so
we will review the results of this pilot to see if this is something feasible to implement in
the future. We are working on implementing the State Data Governance Organization
policy to formalize data roles and provide associated training for data owners, data
stewards, and data custodians.
Recommendation 7: The Department should conduct a formal Department-wide risk
assessment at least annually, as required in its risk assessment policy and procedures, to
evaluate, document, and prioritize the areas in the Department's IT environment with the
highest security risks.
Department Response: The finding of the Auditor General is not agreed to, but the
recommendation will be implemented.
Response explanation: The last risk assessment the Department had performed was
when Behavioral Health Services (BHS) was part of the Department and BHS funded
a third party to perform this. Several years ago the state did a risk assessment and
determined that the State could greatly reduce IT risks by implementing enterprise
controls. The Department has focused on these implementations the last couple of
years. One of the controls that was implemented was RiskSense for vulnerability
management and risk scoring on a state-wide basis.
Recommendation 8: The Department should develop and implement a revision to its risk
assessment policy and procedures to include categorizing the Department's information
based on the likelihood of risk and magnitude of harm as required by ASET policy.
Department Response: The finding of the Auditor General is not agreed to, but the
recommendation will be implemented.
Department Response: The finding of the Auditor General is not agreed to, but the
recommendation will be implemented.
Response explanation: The Department has a mature security awareness and HIPAA
training program which require initial and ongoing (annual) Security Awareness and
HIPAA training per policy. However, the Department hasn't always obtained 100%
compliance. The Department will work to improve its compliance on these trainings. We
utilize the State Security Awareness computer based training which contains the
required content Security Awareness training and acceptable use attestations were
recently completed in June of 2019. HIPAA training for 2019 has been taken historically
in the month of December each year, and is scheduled for December of 2019.
Recommendation 10: The Department should continue with its plans to develop and
implement role-based training.
Department Response: The finding of the Auditor General is not agreed to, but the
recommendation will be implemented.
Sunset Factor 2: The extent to which the Department has met its statutory objective and
purpose and the efficiency with which it has operated.
Recommendation 11: The Department should continue using the electronic grants
management system, and ensure that for all future grant evaluations conducted using this
system, its grant evaluations clearly indicate whether grant applicants complied with all
evaluation criteria and that all evaluation factors are included in the grant solicitation.
Department Response: The finding of the Auditor General is agreed to and the audit
recommendation will be implemented.
Sunset Factor 5: The extent to which the Department has encouraged input from the
public before adopting its rules and the extent to which it has informed the public as to its
actions and their expected impact on the public.
Recommendation 12: The Department should develop and implement policies, procedures,
and training to help guide the boards, commissions, and councils it supports; and its staff
members' compliance with open meeting law requirements.
Department Response: The finding of the Auditor General is agreed to and the audit
recommendation will be implemented.
Department Response: The finding of the Auditor General is agreed to and the audit
recommendation will be implemented.
Response explanation: The Department will implement this recommendation by April 1,
2020.
Department Response: The finding of the Auditor General is agreed to and the audit
recommendation will be implemented.