Purpose

To determine the extent of implementation of the four recommendations included in our initial audit report, Security Over Electronic Protected Health Information (2014-S-67).

Background

Our initial audit report, which was issued on July 6, 2015, concluded that the Roswell Park Cancer Institute (Institute) had established a highly developed information security program to protect the electronic protected health information (ePHI) it creates, receives, maintains, or transmits. During our testing, we found the Institute had taken many steps to safeguard its ePHI and meet Health Insurance Portability and Accountability Act security requirements. In addition, the Institute had adequate protection policies in place and a plan to make mandatory notifications when ePHI is lost or stolen. However, we identified some improvement opportunities involving certain administrative, physical, and technical safeguards over the Institute’s ePHI.

Key Findings

• We found the Institute has made good progress addressing the issues identified in our initial audit. Of the four recommendations contained in our audit report, two have been implemented and two have been partially implemented.
• While the Institute has made significant progress in addressing the open high- and medium- risk items cited in our initial audit, some of these risks still have not been addressed.  Officials indicated that starting October 1, 2016, the Institute will implement a new procedure to better support its risk decisions.

Key Recommendation

Officials are given 30 days after the issuance of the follow-up review to provide information on any actions that are planned to address the unresolved issues discussed in this review.

Other Related Audits/Reports of Interest

Office of Information Technology Services: Security and Effectiveness of Department of Motor Vehicles’ Licensing and Registration Systems (2013-S-58)
State University of New York: Compliance With Payment Card Industry Standards (2015-S-65)