HospitalInspections.org

Based on review of documentation and interviews, the Hospital failed to ensure that patients had the right to confidentiality of his or her clinical records.

Findings included:

1) On 8/17/11, the Hospital notified the Department that on 6/20/11, a note book containing handwritten Patient Health Information [PHI] about 49 patients was stolen from a locked physician's office located within the hospital.

2) The Privacy and Confidentiality Officer [PCO] reported that the Physician maintained a small notebook for the purpose of following up on pending test results and notifying patients once the results were received. The Physician reported the notebook contained handwritten notes containing the following information: first name, middle initial (if available), last name, gender, date of birth, provider's name, fiscal identification number (the number is assigned by the hospital and not linked to social security number or insurance source), medical record number, telephone number and the provider's name.

3) The Physician's office is located on the East Campus of the Hospital. The Physician reported that she had left the notebook on the desk in her office and locked the door on Friday, June 17, 2011. The Physician reported that she is always careful to check and re-check the door when locking it. On Monday, June 20, 2011, the Physician returned to the office and noted the notebook was missing from the desk and reported the loss to the Chief Administrative Officer for the practice. Steps were taken to request a new lock for the office and the practice began the process of identifying which patients whose data was contained in the notebook.

4) The Campus Police was notified of the loss on 6/21/11 and an investigation was conducted on 6/22/11. Only two clinical persons [the Physician and a Nurse Practitioner] have a key to the office in that practice. The other persons who have access to the office are cleaning personnel. There are no surveillance cameras in the area. The Nurse Practitioner who had a key to the office, was not present, as concluded by the lack of a swipe of the person's access card in the area of the clinic, that weekend. No conclusive information was discovered in the investigation.

5) Although the Physician locked the office door, the notebook containing PHI was left on top of the desk and accessible. The notebook was not placed within a locked drawer or cabinet. Other persons, including housekeeping staff, had keys to the Physician's office.

6) Review of Hospital Policy titled, "Safeguarding Protected Health Information," Point 4. Transportation and Storage of PHI b. Paper medical records shall be maintained in secure areas.


Timeline of actions taken after the identification of missing PHI:

7) On July 8, 2011, the PCO requested additional information about the patients affected and the steps the practice was taking to ensure this does not happen again.

On July 11, 2011, The PCO was provided with a list of the patients who information was contained in the missing notebook. There were 49 patients affected. The practice was advised to keep any source of information about patients in a locked drawer and ensure the door is also locked when not occupied.

On July 25, 2011, the PCO requested the IS Department to retrieve the demographic information for the patients affected to develop notice letters.

On July 27, 2011, the PCO spoke to the Chief Administrative Officer who confirmed that all physician's within the practice were informed of the loss and directed to store any written materials, mobile devices, memory sticks, etc_ in a locked drawer.

On August 2nd and 3rd, 2011, the PCO examined a copy of the label that was contained in the notebook to determine what data was in the notebook.

On August 3, 2011, letters were drafted to the Patient's affected. The letters were mailed on August 5, 2011.

8) Other actions taken to ensure this incident does not re-occur include informing the broader hospital community about the incident and the remediation steps that were taken. The Hospital's Senior Leadership was also notified of the event.