Department of Internal Audit and Compliance

We wanted to bring to your attention the recent Office of Foreign Assets Control (OFAC) record retention requirement update, which takes effect on March 12, 2025. OFAC is a financial intelligence and enforcement agency of the U.S. Treasury Department. It administers and enforces economic and trade sanctions in support of U.S. national security and foreign policy objectives Previously, OFAC required maintenance of records for five years, but the new regulation extends this period to ten years from the date of the relevant payment. 

We wanted to ensure everyone was aware of this update given its potential impact. Beyond research administration compliance, this change may affect other operational units. This includes records related to the disclosure of endowments or donations, gifts or contracts with foreign individuals or entities of concern, and international travel. Compliance with this new requirement will require updates to institutional policies and procedures, as well as a review of how this change intersects with other legal obligations and statutes of limitations. Additionally, with the increased federal scrutiny of higher education institutions, as seen in recent False Claims Act enforcement actions, ensuring compliance with this change is critical to mitigating legal and compliance risks. 

To proactively align with the updated requirement, process owners may want to consider the following:

• • Engaging with other impacted University departments to ensure institution-wide compliance.
  • Reviewing/Updating relevant policies and procedures
  • Confirming that our current record retention system can maintain and secure records for the extended period.
  • Implementing training/awareness initiatives for relevant personnel

Please read the article below from the Federal Register on reporting, procedures, and penalties to learn more.

The U.S. Attorney for the Southern District of New York announced that a U.S. District Judge sentenced a nurse practitioner who stole the identities of twelve medical doctors and orchestrated an $11.2 million disability loan fraud scheme, in early February to five years in prison. Please read this article from the Justice Department to learn more.

Congress enacted section 117 of the Higher Education Act, as amended, (Section 117) mandating financial transparency of institutions of higher education (institution) through required reporting of gifts from and contracts with a foreign source. Applicable institutions must file a disclosure report by one of the two annual reporting deadlines, January 31 or July 31, whichever is sooner. Section 117 helps to raise awareness of potential foreign influence on college campuses which could help stakeholders assess, detect, and respond to potential threats to U.S. academic and research pursuits, free speech on campuses, and national security. Click on the link below from the Office of Inspector General’s webpage to learn more.

Indiana University Health (IU Health) has reported a data breach affecting a limited number of individuals, potentially compromising Social Security Numbers and other sensitive personal information. The breach, first detected on November 8, 2024, impacted specific patient and employee data, and IU Health notified those affected on January 2, 2025. According to IU Health, the breach may have included personal details such as addresses, ages, medical record numbers, diagnoses, and other treatment-related information. While the breach primarily impacted a limited group of individuals, the affected data included Social Security Numbers. The breach occurred due to unauthorized access to an IU Health team member’s email account, compromised between August 27, 2024, and October 2, 2024.

The Texas Tech University Health Sciences Center and its El Paso counterpart suffered a cyberattack that disrupted computer systems and applications, potentially exposing the data of 1.4 million patients. The organization is a public, academic health institution that is part of the Texas Tech University System, which educates and trains healthcare professionals, conducts medical research, and provides patient care services. The organization announced that, in September 2024, it suffered a cyberattack involving sensitive data theft. In a filing with the U.S. Department of Health and Human Services Office for Civil Rights (OCR), the Texas Tech University Health Sciences Center reports that the breach exposed the combined data of 1,465,000 people.

A month after a Doctor of Pharmacy student enrolled at the University of Tennessee, the college’s professional conduct committee received an anonymous complaint about her posts on social media. The college reviewed her posts, which included racy rap lyrics and tight dresses, and concluded that they were vulgar and unprofessional. It threatened to expel her. For the last four years, the student has been fighting the school in court, arguing that the posts were fun and sex-positive, and unconnected to a status as a student. Now the student has won a settlement: In late-January, receiving a check for $250,000 -- both vindication and relief, the student said.

The U.S. Department of Education’s OCR on January 6^th announced that Johns Hopkins University in Maryland has entered into a resolution agreement to ensure alignment with Title VI of the Civil Rights Act of 1964 (Title VI) when responding to allegations of harassment based on shared ancestry (a common heritage that a group of people share, including cultural practices, languages, and traditions). OCR’s investigation confirmed multiple important steps taken by the university to fulfill its Title VI obligations with respect to shared ancestry. Nonetheless, OCR identified a Title VI concern that, although the university received ninety-nine complaints of harassment based on shared ancestry from October 2023 through May 2024, the records do not reflect university consideration of whether these and other incidents individually and cumulatively created a hostile environment for students.

Health officials warn the increased use of nitrous oxide, an inhalant commonly used by healthcare providers as a sedative, is causing an influx in throat and mouth injuries among college students. Commonly referred to as laughing gas, nitrous oxide is an odorless gas used for sedation and pain relief as it slows down the nervous system by restricting oxygen flow to the brain, producing a high. For months now, social media has amplified the trend as people film themselves or their friends’ doing whippets. Experts say as young people continue to struggle with their mental health, the increase in social media posts about huffing have contributed to its normalization.