Roswell Park Cancer Institute


Skip to Content

Login   Subscribe   Site Index   Contact Us   Google Translate™

NYS Comptroller


Taxpayers' Guide to State and Local Audits

Roswell Park Cancer Institute
Security Over Electronic Protected Health Information (Follow Up)

Issued: October 07, 2016
Link to full audit report 2016-F-19
Link to 30-day response

To determine the extent of implementation of the four recommendations included in our initial audit report, Security Over Electronic Protected Health Information (2014-S-67).

Our initial audit report, which was issued on July 6, 2015, concluded that the Roswell Park Cancer Institute (Institute) had established a highly developed information security program to protect the electronic protected health information (ePHI) it creates, receives, maintains, or transmits. During our testing, we found the Institute had taken many steps to safeguard its ePHI and meet Health Insurance Portability and Accountability Act security requirements. In addition, the Institute had adequate protection policies in place and a plan to make mandatory notifications when ePHI is lost or stolen. However, we identified some improvement opportunities involving certain administrative, physical, and technical safeguards over the Institute’s ePHI.

Key Findings

  • We found the Institute has made good progress addressing the issues identified in our initial audit. Of the four recommendations contained in our audit report, two have been implemented and two have been partially implemented.
  • While the Institute has made significant progress in addressing the open high- and medium- risk items cited in our initial audit, some of these risks still have not been addressed.  Officials indicated that starting October 1, 2016, the Institute will implement a new procedure to better support its risk decisions.

Key Recommendation

  • Officials are given 30 days after the issuance of the follow-up review to provide information on any actions that are planned to address the unresolved issues discussed in this review.

Other Related Audit/Report of Interest

Office of Information Technology Services: Security and Effectiveness of Department of Motor Vehicles’ Licensing and Registration Systems (2013-S-58)
State University of New York: Compliance With Payment Card Industry Standards (2015-S-65)

State Government Accountability Contact Information:
Audit Director: John Buyce
Phone: (518) 474-3271; Email:
Address: Office of the State Comptroller; Division of State Government Accountability; 110 State Street, 11th Floor; Albany, NY 12236