Roswell Park Cancer Institute

 

Skip to Content

Login   Subscribe   Site Index   Contact Us   Google Translate™

NYS Comptroller

THOMAS P. DiNAPOLI

Taxpayers' Guide to State and Local Audits

Roswell Park Cancer Institute
Security Over Electronic Protected Health Information


Issued: July 06, 2015
Link to full audit report 2014-S-67
Link to 90-day response

Purpose
To determine whether the Roswell Park Cancer Institute (Institute) is properly safeguarding its ePHI and has protection policies in place and a plan to make mandatory notifications when ePHI is lost or stolen. The audit covers the period January 1, 2013 through March 6, 2015.

Background
The Institute is a comprehensive cancer treatment and research complex located in Buffalo, New York. To support its operations, the Institute maintains major computer systems and networks that process, store, and transmit ePHI. Since 2003, all health care providers, including the Institute, are required to comply with a set of information security standards for protecting ePHI, as established in the Health Insurance Portability and Accountability Act (HIPAA) Security Rule. Furthermore, the Federal Health Information Technology for Economic and Clinical Health Act (HITECH) extends certain HIPAA Privacy and Security Rule requirements to health care providers’ business associates and establishes new limitations on ePHI disclosure. Health care providers were expected to fully comply with HITECH by September 23, 2013. Over 4,000 individuals access the Institute’s systems and networks that facilitate ePHI access.

Key Findings

  • We found the Institute has taken many steps to safeguard its ePHI and meet Security Rule requirements. In addition, we found the Institute has adequate protection policies in place and a plan to make mandatory notifications when ePHI is lost or stolen.
  • However, we identified some improvement opportunities involving certain administrative, physical, and technical safeguards over the Institute’s ePHI.

Key Recommendations

  • Take steps to resolve risk items that have remained open over multiple periods.
  • Continue efforts to strengthen physical and technical security over the systems that receive, store, process, transmit, and maintain ePHI.

Other Related Audits/Reports of Interest

Office of Information Technology Services: Security and Effectiveness of Division of Criminal Justice Services’ Core Systems (2014-S-24)
Office of Information Technology Services: Security and Effectiveness of Department of Motor Vehicles’ Licensing and Registration Systems (2013-S-58)


State Government Accountability Contact Information:
Audit Director: John Buyce
Phone: (518) 474-3271; Email: StateGovernmentAccountability@osc.state.ny.us
Address: Office of the State Comptroller; Division of State Government Accountability; 110 State Street, 11th Floor; Albany, NY 12236