Office of Internal Controls, Audit Compliance & Information Security

The MDH Office of Internal Controls, Audit Compliance & Information Security (IAC/S) serves to ensure that MDH operational units comply with legal, regulatory, and policy requirements. The IAC/S divisions include Audit Follow-Up, Audit Liaison, Compliance and Privacy, Institutional Review Board, the Strategic Data Initiative (SDI), Information Security (InfoSec), and Operations, Technology, and Risk Assessment.​

What we do

  • Promptly make recommend​​ations to correct internal control weaknesses identified in audits or other reviews
  • ​Conduct follow-up reviews and testing to ensure that corrective actions recommended by external auditors have been implemented and are working effectively
  • Serve as liaison between Departmental units and the Office of Legislative Audits (OLA); OIG/Health; Health & Human Services OIG; and all other external audit organizations
  • Receive and review allegations regarding employee conduct and other compliance issues
  • Track and report on MDH compliance with secondary employment and financial disclosure requirements
  • Receive and review potential violations of the MDH privacy policy and the Health Information Portability & Accountability Act (HIPAA)
  • ​Coordinate the activities of the MDH Institutional Review Board
  • Review data-related agreements and update data use policies to ensure that MDH data is protected​
  • Help protect against potential information technology (IT) threats and vulnerabilities

Audit Follow-Up helps ensure MDH compliance with external audits conducted by the Office of Legislative Audits (OLA) and all other external auditors. MDH auditors and analysts confirm whether corrective actions have been implemented and if any modifications to policies and procedures are effective based on the external audit recommendations and MDH objectives. Special audits may be performed upon request from leadership or as the result of a risk assessment or survey performed by MDH.

Audit Liaison facilitates communication between MDH leadership and outside auditors, including the OLA; OIG/Health; Health and Human Services OIG (HHS OIG); Center for Medicare and Medicaid (CMS); and all other external audit organizations. In this role, Audit Liaison advocates on behalf of MDH while also helping to ensure MDH responds promptly to external audit recommendations.

Compliance and Privacy helps ensure that the Department complies with the Code of Conduct, Corporate Compliance policies, privacy policies, and the Health Insurance Portability and Accountability Act (HIPAA).

The Institutional Review Board (IRB) is responsible for reviewing research to ensure that the rights, safety, and dignity of human subjects are protected.

The Strategic Data Initiative (SDI) is responsible for updating MDH data protection and usage policies and reviewing data-related agreements for adherence to those policies.  ​

The Information Security Program (InfoSec) 
The Information Security (InfoSec) program was established to protect MDH’s ability to continually provide secured mission-critical operations. Through personnel, policies, procedures and standards, it ensures the availability of organizational information, confidentiality, integrity, and compliance with HIPAA, CMS, DoIT Security Manual, and
federal and State mandates.
​Contact us:​
Maryland Department of Health
Office of Internal Controls, Audit Compliance & Information Security​
201 W. Pre​​ston Street
Baltimore, MD 21201
410-767-5314 office 
410-333-7194 fax  
MDH.IAC@Maryland.gov​