DES Chief, Damaging ADHS Audit Out, Christ Replaces Trailor

On the same day the Arizona Auditor General’s Office released a disturbing audit of the Department of Health Services, the head of the organization, Dr. Cara Christ, was picked to temporarily take the helm at the Department of Economic Security.

Christ was selected by Gov. Doug Ducey to replace AZDES Director Michael Trailor, who announced his resignation in an email to AZDES employees on Thursday.

Christ will lead a national search for Trailor’s replacement “while maintaining her position as director of ADHS,” according to a press release.

Trailor’s last day will be October 18.

“Trailor will be stepping down as director while moving into a new role within the Governor’s Office of Youth, Faith and Family focused on furthering the state’s efforts to combat homelessness,” the Governor’s Office said in the press release.

Trailors’ demotion came as little surprise to politicos. Few believed he was qualified to take over the embattled agency two years ago.

“I’m grateful to Director Trailor for stepping up more than two years ago and serving in this important role,” the governor said in a statement.

Ducey appointed Trailor after former DES director Tim Jeffries was forced out due to news reports that later proved to be mostly inaccurate. Jeffries and his top staff believe he was forced out due to his efforts to clean up the agency.

From thwarting Jeffries’ efforts to cancelling the contract Hacienda Healthcare, to fabricating a story that he and his team were stockpiling weapons, the Governor with the assistance of the mainstream media allegedly targeted Jeffries in order to stop his reforms of the massive agency.

It was only after a patient with intellectual disabilities was raped in a Hacienda HealthCare facility by a caregiver last year, that it became clear that Jeffries and his team became targets for being on target about the necessary reforms.

After the rape victim delivered a child in the care facility, Jeffries called on Trailor to resign. Remarkably, the governor, who is quick to toss his staff under any bus, stood by Trailor.

[metaslider id=178468]

 

In an email to AZDES staff, Christ wrote that she was “confident that your work will continue without a pause as we assist our sister agency through their transition.”

“I will continue to be in close daily contact with (Department of Health Services) leadership, and I don’t anticipate any disruption in the important work you do every day during this temporary assignment,” wrote Christ.

Auditor General’s findings:

Department’s failure to investigate, or timely investigate or resolve, some long-term care facility complaints and self-reports may put residents at risk

As the State licensing agency and the State Survey Agency for the federal Centers for Medicare and Medicaid Services (CMS), the Department is required to investigate all complaints and long-term care facility self-reported incidents (selfreports) for the 147 State licensed/CMS certified long-term care facilities in the State. We reviewed 33 complaints and a judgmental sample of 37 self-reports the Department received in calendar years 2017 and 2018 for 5 judgmentally selected long-term care facilities and found that the Department did not investigate or did not timely prioritize, investigate, or resolve some long-term care facility complaints and selfreports. Specifically, we found that as of June 2019, 38 of the 70 complaints and self-reports were still open and uninvestigated. These uninvestigated complaints and self-reports included allegations of abuse and neglect of residents and unsanitary living conditions.

Additionally, for the 20 complaints and self-reports that the Department did investigate, we found that the Department did not timely initiate its investigation for 15 of them. For example, 12 of the 20 complaints/selfreports were assigned a priority B (alleges actual harm but does not rise to the level of an immediate and serious threat), and the Department did not timely initiate investigations for 11 of these 12 complaints/self-reports.

Department did not comply with some conflict-of-interest requirements

Arizona law requires employees of public agencies and public officers to avoid conflicts of interest that might influence or affect their official conduct and outlines several requirements for doing so. We identified several areas where the Department was not meeting statutory requirements or best practices. For example, although required by statute, the Department lacked a special disclosure file that memorializes all disclosures and did not require members of the more than 30 Department-supported boards, commissions, and committees to complete disclosure forms. Also, the Department was not requiring employees to annually disclose conflicts, a best practice. These deficiencies increased the risk of Department employees and public officers not disclosing conflicts. However, the Department began addressing these deficiencies in July 2019.

Some gaps in Department IT security processes resulted in a security incident and additional IT security weaknesses

To administer its programs, the Department uses many IT systems to store and process large volumes of sensitive and/ or confidential data. Various federal and State laws and regulations and the Arizona Department of Administration’s Strategic Enterprise Technology Office (ASET) policies specify the Department’s responsibility for protecting this data. However, we identified an instance where confidential Department data was not properly protected by the Department and was therefore inappropriately available to the public. Specifically, a security weakness on a Department website allowed a member of the public to view confidential data such as birthdates, identification numbers, and other information as well as copy an authorized user’s credentials and use them to log into a Department web application. As of August 2019, the Department reported that it had investigated and reported this incident to ASET, as required. We also identified the following gaps in the Department’s data classification, risk assessment, and IT security awareness training processes:

  • Data classification helps to ensure sensitive data is protected from loss, misuse, or inappropriate disclosure. Although the Department reported that it treats all its data as confidential, it has not inventoried its data and documented the classification of that data.
  • The Department has not conducted a formal Department-wide IT risk assessment since 2015. A risk assessment is a structured process recommended by credible industry standards and required by ASET policy that at least annually identifies IT risks within an organization—such as weak security practices, outdated systems, or the lack of a plan for restoring IT systems following a disaster.
  • The Department requires all employees and contractors to complete basic security awareness training when initially hired and annually thereafter but is not enforcing this requirement. Specifically, only 20 percent of the Department’s 1,128 employees completed both trainings in 2018.
About M. Perez - ADI Staff Reporter 362 Articles
Under the leadership of ADI Editor In Chief Huey Freeman, our team of staff reporters work tirelessly to bring the latest, most accurate news to our readers.