1. Home
  2. State Agencies
  3. Audits
  4. Security Over Electronic Protected Health Information

Security Over Electronic Protected Health Information

Issued Date
July 06, 2015
Agency/Authority
Roswell Park Cancer Institute
Full Audit Report 2014-S-67779.84 KB
90-Day Response80.48 KB

Purpose

To determine whether the Roswell Park Cancer Institute (Institute) is properly safeguarding its ePHI and has protection policies in place and a plan to make mandatory notifications when ePHI is lost or stolen. The audit covers the period January 1, 2013 through March 6, 2015.

Background

The Institute is a comprehensive cancer treatment and research complex located in Buffalo, New York. To support its operations, the Institute maintains major computer systems and networks that process, store, and transmit ePHI. Since 2003, all health care providers, including the Institute, are required to comply with a set of information security standards for protecting ePHI, as established in the Health Insurance Portability and Accountability Act (HIPAA) Security Rule. Furthermore, the Federal Health Information Technology for Economic and Clinical Health Act (HITECH) extends certain HIPAA Privacy and Security Rule requirements to health care providers’ business associates and establishes new limitations on ePHI disclosure. Health care providers were expected to fully comply with HITECH by September 23, 2013. Over 4,000 individuals access the Institute’s systems and networks that facilitate ePHI access.

Key Findings

  • We found the Institute has taken many steps to safeguard its ePHI and meet Security Rule requirements. In addition, we found the Institute has adequate protection policies in place and a plan to make mandatory notifications when ePHI is lost or stolen.
  • However, we identified some improvement opportunities involving certain administrative, physical, and technical safeguards over the Institute’s ePHI.

Key Recommendations

  • Take steps to resolve risk items that have remained open over multiple periods.
  • Continue efforts to strengthen physical and technical security over the systems that receive, store, process, transmit, and maintain ePHI.

Other Related Audits/Reports of Interest

Office of Information Technology Services: Security and Effectiveness of Division of Criminal Justice Services’ Core Systems (2014-S-24)
Office of Information Technology Services: Security and Effectiveness of Department of Motor Vehicles’ Licensing and Registration Systems (2013-S-58)

John Buyce

State Government Accountability Contact Information:
Audit Director: John Buyce
Phone: (518) 474-3271; Email: [email protected]
Address: Office of the State Comptroller; Division of State Government Accountability; 110 State Street, 11th Floor; Albany, NY 12236