OIG Audit Findings of National Institutes of Health

The Department of Health and Human Services’ Office of Inspector General (OIG) has released a report of the findings of a National institutes of Health (NIH) data access and data sharing audit.

The NIH is the main federal biomedical and public health research agency in America and one of the leading medical research centers worldwide. OIG conducted the audit to find out if NIH had implemented sufficient controls covering access to sensitive NIH information. OIG examined internal controls, supporting documentation, policies and procedures and performed interviews with NIH personnel.

Although NIH had implemented controls to limit access to sensitive information, OIG identified some areas where changes could be made to reinforce security. A number of recommendations were made, but NIH did not concur with the majority of OIG’s recommendations.

OIG suggested that NIH ought to implement a security framework, perform a risk assessment, add further security controls to protect sensitive information, and should begin working with a third-party organization that has expertise in the misuse of scientific information. NIH did not agree with those suggestions.

OIG likewise suggested that systems should be implemented to make sure that data security policies are kept up-to-date and reflect the fast changing threat landscape and that HIPAA training for employees and safety programs should be implemented. NIH agreed with the recommendation to keep its security policies up to date but would not be reporting on whether training and security plan requirements had been satisfied. NIH mentioned that it had previously organized a working team to address vulnerabilities to the confidentiality of intellectual property and ensure the integrity of its peer review processes.

OIG maintained that the findings of the audit and its recommendations were correct and legitimate and suggested that if NIH decided not to take its recommendations on board that its decisions should be documented in keeping with Federal policies and guidance.


Simple Guidelines
Immediate PDF Download

Immediate Access

Privacy Policy

About Liam Johnson
Liam Johnson has produced articles about HIPAA for several years. He has extensive experience in healthcare privacy and security. With a deep understanding of the complex legal and regulatory landscape surrounding patient data protection, Liam has dedicated his career to helping organizations navigate the intricacies of HIPAA compliance. Liam focusses on the challenges faced by healthcare providers, insurance companies, and business associates in complying with HIPAA regulations. Liam has been published in leading healthcare publications, including The HIPAA Journal. Liam was appointed Editor-in-Chief of The HIPAA Guide in 2023. Contact Liam via LinkedIn: https://www.linkedin.com/in/liamhipaa/