REPORT DIGEST

ILLINOIS HEALTH INFORMATION EXCHANGE
AUTHORITY

COMPLIANCE EXAMINATION
FOR THE TWO YEARS ENDED JUNE 30, 2016

Release Date:  August 29, 2018

FINDINGS THIS AUDIT:  26

CATEGORY:  NEW -- REPEAT -- TOTAL
Category 1:  6 -- 8 -- 14
Category 2:  8 -- 3 -- 11
Category 3:  0 -- 1 -- 1
TOTAL:  14 -- 12 -- 26

FINDINGS LAST AUDIT: 21

Category 1: Findings that are material
weaknesses in internal control and/or a
qualification on compliance with State laws
and regulations (material noncompliance).
Category 2: Findings that are significant
deficiencies in internal control and
noncompliance with State laws and
regulations.
Category 3: Findings that have no internal
control issues but are in noncompliance
with State laws and regulations.

State of Illinois, Office of the Auditor
General
FRANK J. MAUTINO, AUDITOR GENERAL

To obtain a copy of the Report contact:
Office of the Auditor General, Iles Park
Plaza, 740 E. Ash Street, Springfield, IL
62703
(217) 782-6046 or TTY (888) 261-2887

This Report Digest and Full Report are also
available on the worldwide web at
www.auditor.illinois.gov

INTRODUCTION

The Illinois Health Information Exchange
Authority’s (Authority) purpose was to
promote and facilitate the widespread
adoption of electronic medical records and
participation in the Illinois Health
Information Exchange (ILHIE) among
healthcare providers. According to
Authority officials, the ILHIE was
decommissioned by June 30, 2016.

The Authority, the Office of the Governor,
and the Department of Healthcare and Family
Services entered into an interagency
agreement on September 23, 2016, which, in
practicality, ended the Authority’s
existence as an independent, standalone
entity and reorganized the functions of the
Authority into the Department.

Because of the significance and
pervasiveness of the findings described
within the report, we expressed an adverse
opinion on the Authority’s compliance with
the assertions which comprise a State
compliance examination. The Codification of
Statements on Standards for Attestation
Engagements (AT-C § 205.72) states a
practitioner “should express an adverse
opinion when the practitioner, having
obtained sufficient appropriate evidence,
concludes that misstatements, individually
or in the aggregate, are both material and
pervasive to the subject matter.”

SYNOPSIS

• (16-01) The Authority no longer operates
the ILHIE.
• (16-02) The Authority failed to adopt a
comprehensive decommissioning plan for the
ILHIE which completely addressed the
destruction of personally-identifiable
information and health data of individuals.
• (16-03) The Authority did not ensure data
on the ILHIE was properly destroyed.
• (16-04) The Authority failed to comply
with the State Records Act, resulting in an
improper destruction of the State’s
records.
• (16-13) The Authority did not exercise
adequate internal control over a grant.

FINDINGS, CONCLUSIONS, AND RECOMMENDATIONS

FAILURE TO FULFILL THE AUTHORITY’S PRIMARY
MISSION

The Illinois Health Information Exchange
Authority (Authority) no longer operates
the Illinois Health Information Exchange
(ILHIE).

During testing, we noted the Authority had
completely decommissioned and shut down the
ILHIE by June 30, 2016. Further, it does
not appear the Authority has an adequate
plan for its future operations.

The ILHIE consisted of two distinct
components. The first component, ILHIE
Direct, was a Statewide, secure electronic
transport network for sharing clinical and
administrative data among healthcare
providers in order to facilitate care
coordination. While the Authority and its
predecessors never capitalized the cost of
this development, we estimated ILHIE
Direct’s cost as, at least, $3,154,811. The
second component, the Public Health Node
(PHN), received data transmissions from
healthcare providers to validate datasets
and support the transmission of datasets in
a “meaningful use” format to the U.S.
Department of Health and Human Services,
Centers for Disease Control and Prevention
(CDC) and the Department of Public Health.
Again, while the Authority and its
predecessors never capitalized the cost of
this development, we estimated the PHN’s
cost as, at least, $1,719,462.  (Finding 1,
pages 15-16)

We recommended the Department of Healthcare
and Family Services, on behalf of the
Authority, develop and operate the ILHIE,
or seek a legislative remedy.

Department officials accepted the finding.

INADEQUATE DECOMMISSIONING PLAN

The Authority failed to adopt a
comprehensive decommissioning plan for the
Illinois Health Information Exchange
(ILHIE) which completely addressed the
destruction of personally-identifiable
information and health data of individuals
within the ILHIE.

During testing, we noted the Authority and
its vendor approved the ILHIE’s
decommissioning plan on May 6, 2016, which
was to document the “process and procedures
to cease delivery of services”. During our
review of the plan and its implementation,
we noted the following:

• While the vendor developing the ILHIE on
the Authority’s behalf had contracted with
several subcontractors, the decommissioning
plan did not require the subcontractors to
provide either (1) a certification ILHIE
data held by the subcontractor had been
properly destroyed or (2) a certification
the subcontractor did not maintain any
ILHIE data. As a result, the Authority does
not have any assurance three of five (60%)
subcontractors working on the ILHIE project
are not holding personally-identifiable
information and health data of individuals
within the ILHIE.

• The plan was approved 188 days after the
final destruction of ILHIE Direct services
on October 31, 2015, and 310 days after the
vendor began shutting down ILHIE Direct on
July 1, 2015. As a result, the vendor and
the Authority had not documented its plan
for the destruction of ILHIE Direct data or
developed a certification process for
documenting the destruction of ILHIE Direct
data. Further, the final decommissioning
plan did not address ILHIE Direct’s
requirements for the destruction of data
and requirements for a certification the
data had been destroyed.

• The decommissioning plan requires the
vendor to maintain certain protected health
information for six years after the final
decommissioning of the ILHIE. However, we
noted the decommissioning plan does not
address the destruction of this data or
develop a certification process for
documenting the destruction of this data.
(Finding 2, pages 17-18)

We recommended the Department of Healthcare
and Family Services, on behalf of the
Authority, take action to ensure all of the
ILHIE’s data is adequately protected from
disclosure and secure until it can be
verified as destroyed.

Department officials accepted the finding.

INADEQUATE CONTROL OVER THE DESTRUCTION OF
DATA

The Authority did not ensure data on the
Illinois Health Information Exchange
(ILHIE) was properly destroyed.

During our review of the Authority’s
decommissioning process, we noted the
following:

• The Authority was unable to provide
documentation any media handled by three of
the vendor’s five subcontractors (60%) had
been properly destroyed.

• The Authority received documentation from
two of the vendor’s five subcontractors
regarding the ILHIE Direct’s data on
December 16, 2015, and January 5, 2016. We
noted neither of the subcontractors
provided a listing with the serial number
of each computer or other equipment item
sanitized, the name of the overwriting
software used, and the name, date, and
signature of the person who performed the
overwriting process. In addition, we found
the following:

– One of the two noted subcontractors
stated it was still holding data and that
any Protected Health Information (PHI) was
encrypted. We were unable to determine what
had happened with this data after the
subcontractor’s e-mail on January 5, 2016.

– We noted discrepancies in the reporting
of destroyed media by one of the two
subcontractors. In the subcontractor’s
December 16, 2015, submission, they
reported 380 tapes had been destroyed,
while the ILHIE Backups on Removable Media
Report indicated 363 of 393 tapes had been
destroyed by the subcontractor. We were
unable to reconcile this discrepancy.

–  In addition, we do not know where these
remaining 13 to 30 tapes containing ILHIE
data with the subcontractor:
1) are stored;
2) whether these tapes are currently
adequately secured, or,
3) whether these tapes will be disposed of
in accordance with the Personal Information
Protection Act (815 ILCS 530/30) and the
terms of the contract with the vendor.

• The Authority received an e-mail from its
vendor stating they attested to the “full
and complete destruction of all data with
the physical destruction of all tapes and
the overwriting at least 10 times of all on
disk data” on August 17, 2016. We noted the
vendor did not provide a listing with the
serial number of each computer or other
equipment item sanitized, the name of the
overwriting software used, and the name,
date, and signature of the person who
performed the overwriting process.
(Finding 3, pages 19-21)

We recommended the Department of Healthcare
and Family Services, on behalf of the
Authority, take action to ensure the
ILHIE’s decommissioning process is
finalized and all of the ILHIE’s data is
protected from disclosure and secure until
it can be verified as destroyed.

Department officials accepted the finding.

NONCOMPLIANCE WITH THE STATE RECORDS ACT

The Authority failed to comply with the
State Records Act, resulting in an improper
destruction of the State’s records.

During testing, we noted the following:

• The Authority did not submit lists or
schedules of records with a proposal for
the length of time each record series
warrants retention by the Authority to the
State Records Commission. In addition, the
Authority’s Executive Director did not
appoint a records officer to liaison with
the Secretary of State regarding the
management of the Authority’s records.

• The Illinois Health Information Exchange
(ILHIE), which was fully decommissioned by
June 30, 2016, consisted of two distinct
components. The first component, ILHIE
Direct, was a Statewide, secure electronic
transport network for sharing clinical and
administrative data among healthcare
providers in order to facilitate care
coordination. The second component, the
Public Health Node, received data
transmissions from healthcare providers to
validate datasets and support the
transmission of dataset in a “meaningful
use” format to the U.S. Department of
Health and Human Services, Centers for
Disease Control and Prevention (CDC) and
the State of Illinois, Department of Public
Health.

On October 31, 2015, the Authority’s vendor
developing and hosting the ILHIE destroyed
the electronic records associated with
ILHIE Direct without providing a copy of
the records to the Authority. The
destruction of these records occurred with
the knowledge and approval of the
Authority’s management.  (Finding 4, pages
22-24)

We recommended the Department of Healthcare
and Family Services, on behalf of the
Authority, take action to ensure all of the
Authority’s remaining records are retained
and only destroyed in accordance with the
provisions of the State Records Act.

Department officials accepted the finding.

INADEQUATE CONTROL OVER A GRANT

The Authority did not exercise adequate
internal control over a grant.

During the examination period, the
Authority received a Coordinating Care for
a Healthy Illinois grant from the U.S.
Department of Health and Human Services,
Office of the National Coordinator for
Health Information Technology (ONC),
totaling $2,478,193. The Authority incurred
expenses of $210,586 related to this grant
during the two years ended June 30, 2016.

During testing, some of the more
significant issues we noted included the
following:

• The Authority did not exercise adequate
internal control over financial
transactions with its subrecipients. We
noted the following:

– The Authority could not quantify or show
documentation to substantiate the
Authority’s subrecipients met the required
in-kind matching requirement. As the
reimbursements for the Authority’s expenses
totaled $54,743, the total unmet matching
requirement was $51,948.

– 10 of 17 (59%) subrecipient
reimbursements, totaling $155,843, were
questioned by us. The following chart
details the questioned costs:

Costs Incurred Prior to Signing the Grant
Agreement:  $934
No Support for Meeting the Requirements of
the Grant Agreement:  $3,248
Inadequate Support for Meeting the
Requirements of the Grant Agreement:
$33,292
Illegible Supporting Documentation:  $99
No Business Purpose:  $122
Incorrect Calculation of Fringe Benefits
and/or the Indirect Cost Rate:  $2,452
Total Questioned Costs:  $40,147

• The Authority did not exercise adequate
controls over its own (not including
subrecipients) transactions. We noted the
following:

– The Authority met its own (not including
subrecipients) federal matching requirement
of $1 for every $3 spent by the ONC on the
grant by using cash on deposit within the
Health Information Exchange Fund, which
originated from federal sources. As the
reimbursements for the Authority’s expenses
totaled $54,743, the total unmet matching
requirement was $18,248.  (Finding 13,
pages 47-50)

We recommended the Department of Healthcare
and Family Services, on behalf of the
Authority, work with the ONC to determine
whether any amounts are due to the federal
government.

Department officials accepted the finding.

OTHER FINDINGS

The remaining findings pertain to (1)
inaccurate financial records; (2)
inadequate control over expenditures,
receipts, receivables, reconciliations,
formulating contracts, equipment, SOC
Reports, Public Health Node payments, a
vendor credit, interagency agreements,
personal services, travel, and signature
cards; (3) inadequate segregation of duties
and security and control over confidential
information; (4) failure to establish a
quorum at the Authority’s meetings of the
Board of Directors and pay for office
space; (5) unnecessary purchases; (6) a
lack of due diligence to ensure computer
security; and, (7) a lack of members on the
Authority’s Board of Directors.

We will review the Authority’s progress
towards the implementation of our
recommendations in our next compliance
examination of the Department of Healthcare
and Family Services.

ACCOUNTANT’S OPINION

The accountants conducted a compliance
examination of the Authority for the two
years ended June 30, 2016, as required by
the Illinois State Auditing Act.  Because
of the effect of the noncompliance
described in Finding 2016-001 through
Finding 2016-014, the accountants stated
the Authority did not comply with the
requirements described in the report.

This compliance examination was conducted
by the Office of the Auditor General’s
staff.

JANE CLARK
Division Director

This report is transmitted in accordance
with Section 3-14 of the Illinois State
Auditing Act.

FRANK J. MAUTINO
Auditor General

FJM:djn