On July 23, 2025, the U.S. Department of Health and Human Services (HHS) Office of Inspector General (OIG) released Audit Report A-04-24-02504, titled “North Carolina Could Better Ensure That Intermediate Care Facilities for Individuals With Intellectual Disabilities Comply With Federal Requirements for Life Safety and Infection Control.”
What happened
The audit focused on three State-operated Intermediate Care Facilities for Individuals with Intellectual Disabilities (ICF/IIDs) in North Carolina: Caswell Developmental Center, J. Iverson Riddle Developmental Center, and Murdoch Developmental Center. These facilities receive Medicaid funding and are required to meet federal safety and infection control standards.
The OIG found a total of 14 deficiencies across the three centers, 12 related to life safety and 2 related to infection control. The audit concluded that the North Carolina Department of Health and Human Services (NC DHHS) did not always ensure these facilities fully complied with federal regulations, increasing the risk of injury or death for residents.
OIG recommended that NC DHHS verify completed corrective actions, assess and remediate mold exposure, and work with the Centers for Medicare & Medicaid Services (CMS) to improve training and oversight. NC DHHS agreed with the recommendations and outlined steps already taken or planned to address the findings.
The main points
Life safety issues include:
- Exit routes that were blocked or difficult to access.
- Self-closing fire doors that failed to operate properly.
- Sprinkler heads obstructed or blocked.
- Missing ceiling tiles.
- Unapproved or non‑compliant ashtrays where smoking was permitted.
- Excessively high water temperatures that could pose burn hazards.
Infection and controls issues included:
- Visible mold identified in at least one facility.
- Lack of documented corrective action plans addressing previously identified infection control deficiencies.
What was said
The report declares its objective as, “Determining whether the North Carolina Department of Health and Human Services (State agency) ensured that selected ICF/IIDs in North Carolina that participated in the Medicaid program complied with Federal requirements for life safety, emergency preparedness, and infection control.”
Why it matters
These facilities serve Medicaid beneficiaries and handle large volumes of protected health information (PHI), which falls under HIPAA’s Privacy and Security Rules. A facility that fails to meet basic safety standards, such as unsecured access points, poor maintenance, or lack of staff training, may also lack the operational discipline required to protect sensitive data.
These same weaknesses could compromise physical safeguards (e.g., server room access controls) or technical protections (e.g., firewall management), increasing the risk of data breaches. The absence of documented corrective action plans, especially for infection control, reflects poor recordkeeping, which raises red flags regarding how PHI is tracked, stored, and shared.
See also: HIPAA Compliant Email: The Definitive Guide (2025 Update)
FAQs
What is a federal healthcare audit?
A federal healthcare audit is a systematic review initiated by government agencies, such as the HHS, OCR, or CMS, to assess a healthcare organization’s compliance with federal laws and regulations.
Who can be audited by federal agencies?
Any entity that receives federal funds or is subject to healthcare regulations may be audited. This includes hospitals, small practices, clinics, business associates, and vendors who may handle PHI.
What triggers a federal audit?
Common audit triggers include suspected fraudulent billing, outlier patterns in claims, reported breaches, complaints, or random selection. Consistently using higher reimbursement codes, excessive tests, or billing patterns not aligned with norms may also prompt audits.
Kirsten Peremore
