On July 23, 2025, the U.S. Department of Health and Human Services (HHS) Office of Inspector General (OIG) released Audit Report A-04-24-02504, titled “North Carolina Could Better Ensure That Intermediate Care Facilities for Individuals With Intellectual Disabilities Comply With Federal Requirements for Life Safety and Infection Control.”
The audit focused on three State-operated Intermediate Care Facilities for Individuals with Intellectual Disabilities (ICF/IIDs) in North Carolina: Caswell Developmental Center, J. Iverson Riddle Developmental Center, and Murdoch Developmental Center. These facilities receive Medicaid funding and are required to meet federal safety and infection control standards.
The OIG found a total of 14 deficiencies across the three centers, 12 related to life safety and 2 related to infection control. The audit concluded that the North Carolina Department of Health and Human Services (NC DHHS) did not always ensure these facilities fully complied with federal regulations, increasing the risk of injury or death for residents.
OIG recommended that NC DHHS verify completed corrective actions, assess and remediate mold exposure, and work with the Centers for Medicare & Medicaid Services (CMS) to improve training and oversight. NC DHHS agreed with the recommendations and outlined steps already taken or planned to address the findings.
Life safety issues include:
Infection and controls issues included:
The report declares its objective as, “Determining whether the North Carolina Department of Health and Human Services (State agency) ensured that selected ICF/IIDs in North Carolina that participated in the Medicaid program complied with Federal requirements for life safety, emergency preparedness, and infection control.”
These facilities serve Medicaid beneficiaries and handle large volumes of protected health information (PHI), which falls under HIPAA’s Privacy and Security Rules. A facility that fails to meet basic safety standards, such as unsecured access points, poor maintenance, or lack of staff training, may also lack the operational discipline required to protect sensitive data.
These same weaknesses could compromise physical safeguards (e.g., server room access controls) or technical protections (e.g., firewall management), increasing the risk of data breaches. The absence of documented corrective action plans, especially for infection control, reflects poor recordkeeping, which raises red flags regarding how PHI is tracked, stored, and shared.
See also: HIPAA Compliant Email: The Definitive Guide (2025 Update)
A federal healthcare audit is a systematic review initiated by government agencies, such as the HHS, OCR, or CMS, to assess a healthcare organization’s compliance with federal laws and regulations.
Any entity that receives federal funds or is subject to healthcare regulations may be audited. This includes hospitals, small practices, clinics, business associates, and vendors who may handle PHI.
Common audit triggers include suspected fraudulent billing, outlier patterns in claims, reported breaches, complaints, or random selection. Consistently using higher reimbursement codes, excessive tests, or billing patterns not aligned with norms may also prompt audits.