Roswell Park Cancer Institute has made “significant progress” on the recommendations included in a 2015 audit by the state Comptroller’s Office on secure handling of electronic health records. That is the finding of a new audit released this month by the Comptroller’s Office.
Auditors conducted the initial review of the period between January 2013 and March 2015 to determine how well the institute safeguarded computerized patient information and whether it had policies in place to make notifications when such data is lost or stolen. Both are requirements under federal laws governing health information technology.
That initial audit from July 2015 found “a highly developed information security program” at Roswell Park but made four recommendations to address weaknesses identified by auditors.
The Comptroller’s Office said in its follow-up audit that Roswell Park has implemented two recommendations and partially implemented two others.
The two that are only partially completed, according to the office, are taking steps to resolve risk items that remained open for an extended period and putting in place procedures to better support its risk-mitigation decisions. Roswell Park did continue putting in place better physical security and technical safeguards around its electronic health information.
“Regarding the few issues that were highlighted as opportunities for improvement, all of them have either been addressed already or will be by our deadline for follow-up,” a spokeswoman said in an email.