25% off all training courses Offer ends May 29, 2026
View HIPAA Courses
Learner Login Learner Support
Learner Login Learner Support
25% off all training courses
View HIPAA Courses
Offer ends May 29, 2026

The HIPAA Journal is the leading provider of HIPAA training, news, regulatory updates, and independent compliance advice.

Data Access and Sharing Risks Identified at National Institutes of Health

Posted By on Feb 15, 2019

The Department of Health and Human Services’ Office of Inspector General (OIG) has published a report of the findings of an audit of the National institutes of Health (NIH). The NIH is the primary government biomedical and public health research agency in the United States and one of the foremost medical research centers in the world.

The audit was conducted to determine whether adequate controls had been implemented for permitting and monitoring access to sensitive NIH data. OIG reviewed internal controls, policies, procedures, and supporting documentation, and conducted interviews with internal staff.

While controls had been implemented at NIH to restrict access to sensitive data, OIG identified several areas where improvements could be made to bolster security and several recommendations were made.

OIG recommended NIH should develop a security framework, conduct risk assessments, implement additional security controls to safeguard sensitive data, and should start working with an organization that has expertise and knowledge of misuse of scientific data. NIH did not concur with any of those recommendations.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

OIG also recommended that mechanisms should be implemented to ensure that its data security policies remain current and reflect the rapidly changing threat landscape and that security awareness training and security plans should be made a requirement.

NIH concurred with those recommendations but did not agree to implement controls to ensure that training and security plan requirements are fulfilled. NIH explained that it had already established a working group to address risks and vulnerabilities to the confidentiality of intellectual property and protect the integrity of the peer review process.

OIG maintained that the findings of its auditors were accurate and the recommendations were valid. Detailed information on potential actions that could be taken to address its findings and recommendations was provided to NIH. OIG recommended that if NIH decides not to strengthen its controls that the decision should be documented in line with Federal regulations and guidance.

Author: Steve Alder is the editor-in-chief of The HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist