HospitalInspections.org

Based on interviews and documentation review, the Hospital failed to implement policies/procedures in a timely manner regarding the removal and transportation of paper or electronic protected health information (PHI; identifies a patient by name and contains information regarding the patient's past, present or future physical or mental condition, treatment or health care) or personal information (PI; such as social security number) from the Hospital.

Findings included:

It was reported that on 6/21/11 an external hard drive (HD #1) belonging to Hospitalist #1 that may have contained protected health information (PHI; identifies a patient by name and contains information regarding the patient's past, present or future physical or mental condition, treatment or health care) related to 172 patients from the Hospital was lost while Hospitalist #1 was traveling out of the country.

Hospitalist #1 said in June, 2011 he was preparing to spend the next 7 months providing medical care in other countries and packed portable storage devices including 2 external hard drives (HD #1 used/stored in January and HD #2). Hospitalist #1 said that on 6/21/11 he was in Mexico and took a taxi to meet medical students. Hospitalist #1 said he had approximately 6 pieces of luggage and when he arrived at his destination the students assisted in removing the luggage from the taxi. Hospitalist #1 said he counted the pieces of luggage, realized there was one piece of luggage left in the taxi and turned to retrieve the luggage, but the taxi pulled away. Hospitalist #1 said the luggage taken by the taxi driver contained one of his external hard drives and he thought it was HD #2. Hospitalist #1 said on 6/21/11 he contacted the Help Desk and reported the loss.

The Chief Privacy Officer was interviewed throughout the Survey. The Chief Privacy Officer said she was informed of the PHI breach on 7/6/11 and that it possibly affected 172 patients. The Chief Privacy Officer said an investigation was already in process and an Identity Theft Service was contracted.

Review of the Hospital's education for medical staff indicated they were provided computer-based education during orientation and annually regarding health information privacy and security including the HIPAA law, PHI and securing mobile devices (laptops). Education also addressed breaches and steps taken when a breach occurred. The education was implemented in April, 2004, updated and revised as laws and policies were changed, and converted to electronic format in 2010.

Review of documentation provided by the Hospital indicated that medical staff were required to sign a confidentiality agreement that addressed accessing PHI and PI on a need-to-know basis and health information privacy.

Review of Policies/Procedures regarding privacy and health information security in effect at the time of the potential PHI breach included:
1) The Mobile Device Policy effective 1/29/09 and the Laptop Encryption Policy effective 4/12/10 that indicated mobile devices (such as laptops) and portable storage devices (such as flash drives and hard drives) must be encrypted or password protected.
2) The Safeguarding PHI Policy effective 1/10 and the Patient Confidentiality Policy effective 1/10 that addressed procedures that employees must follow when viewing (paper or computerized information), transmitting (via fax or electronically), photocopying (types of information that could not be photocopied) and/or accessing PHI as required with their job responsibilities.
3) The Investigative Guidelines for Reported Breach of Privacy of PHI Policy approved 11/18/10 that outlined the steps to be taken to address reported breaches of privacy.

Review of the above education and policies indicated limitations regarding removal and transportation of paper or electronic PHI and/or PI were not addressed.

During interviews with physicians regarding their knowledge and/or practice regarding privacy and health information security, Physician #1 (a private practice physician) was interviewed on 8/17/11 at 1:30 P.M. Physician #1 said he photocopied and removed patient information from the Hospital in paper form (such as radiology and laboratory reports) for patient files maintained at his office located in his home.

The Hospital provided a Physical Removal and Transport of PHI and Personal Information Policy. The Policy, in draft form, included basic requirements for physical removal or transport of PHI and/or PI in paper or electronic form from or within the Hospital. The Policy had not been implemented at the time of the survey.

The Chief Privacy Officer was interviewed throughout the survey. The Chief Privacy Officer said the Physical Removal and Transport of PHI and Personal Information Policy had not been implemented because it was pending final approval.

Based on interviews and documentation review the Hospital failed to ensure that: 1) staff were re-educated regarding the Hospital policies/procedures related to privacy, security and encryption following the potential PHI breach; 2) policies/procedures regarding the removal and transportation of paper or electronic protected health information (PHI or PI) were implemented and 3) staff were educated regarding flash drive encryption requirements.

Findings included:

1) The Hospitalist Program Director was interviewed in person on 8/5/11 at 12:05 P.M. The Hospitalist Director said the Hospitalists were required to hand-off reports to one another to ascertain continuity of care. The Hospitalist Director said the Hospitalist Signout document was completed and stored electronically in the Hospital's secure electronic information system.

Review of the Hospitalist Signout document indicated it contained sections to document the patient name, medical record number, primary and secondary diagnoses, a brief history, a brief plan, important pending tests, contingency plans/concerns, code status and the primary care physician or other key providers and the status of communication with them. The document could hold information for up to 15 patients.

Hospitalist #1 was interviewed on 8/9/11 at 9:00 A.M. Hospitalist #1 said he owned a personal laptop computer, external hard drives and Universal Serial Bus (USB) flash drives. Hospitalist #1 said he was aware of Hospital #1's requirements regarding encryption and that his laptop computer was encrypted. Hospitalist #1 said prior to this Incident he thought backing up information to an external drive from the encrypted laptop meant the information remained encrypted. Hospitalist #1 said it was his practice to frequently backup information from the laptop because he was concerned about loss of data. Hospitalist #1 said he downloaded and saved Hospitalist Signout documents to his laptop so he would have the information readily available to refer to if contacted.

Hospitalist #1 said in January, 2011 he started to back up the folder containing the Hospitalist Signout documents onto a newly purchased external hard drive (HD #1). Hospitalist #1 said the back-up was taking too long and after approximately 10 minutes he aborted the back-up, made the motion to erase it, then put HD #1 back into its original package on a shelf in his home.

Hospitalist #1 said in June, 2011 he was preparing to spend the next 7 months providing medical care in other countries and packed portable storage devices including 2 external hard drives (HD #1 used/stored in January and HD #2). Hospitalist #1 said that on 6/21/11 he was in Mexico and took a taxi to meet medical students. Hospitalist #1 said he had approximately 6 pieces of luggage and when he arrived at his destination the students assisted in removing the luggage from the taxi. Hospitalist #1 said he counted the pieces of luggage, realized there was one piece of luggage left in the taxi and turned to retrieve the luggage, but the taxi pulled away. Hospitalist #1 said the luggage taken by the taxi driver contained one of his external hard drives and he thought it was HD #2. Hospitalist #1 said the Hospital was informed of the loss.

Hospitalist #1 said several days later he went through the remaining luggage and realized it was HD #1 and not HD #2 that was lost. Hospitalist #1 said he immediately contacted the Information Security and reported the external hard drive lost was not the one originally thought.

The Chief Privacy Officer was interviewed throughout the Survey. The Chief Privacy Officer said she was informed of the PHI breach and that it possibly affected 172 patients. The Chief Privacy Officer said an investigation was conducted and an Identity Theft Service was contracted.

The Chief Privacy Officer said that as of the survey the recent PHI breach was discussed at several committee meetings, but staff were re-educated regarding the Hospital policies/procedures related to privacy, security and encryption there had been no additional corrective actions by Hospital #2 as of the survey. The Chief Privacy Officer said she was involved in telephone conferences three times weekly that was focused on corrective action planning.

2) Please refer to A-0147.

3) During the survey the surveyor asked to see education regarding the USB Drive Encryption Policy, effective 5/3/11.

The Chief Privacy Officer said the Hospital had not implemented training related to USB drive encryption.

Based on interviews and documentation review the Hospital failed to ensure that all physicians affiliated with the Hospital received education regarding privacy and health information security.

Findings included:

The Director of Quality Improvement and Patient Safety was interviewed on 8/23/11 throughout the Investigation and the Hospital's education for medical staff regarding privacy and health information security was reviewed. The Quality Director said physicians on the medical staff at the Hospital were either employed under the Hospital System's Physician Organization (PO) or were in private practice (5 private practice physicians and 5 private practice physician groups). The Quality Director said physicians employed by the PO were required to complete health information privacy and security education on orientation and annually.

Review of the Hospital's education for medical staff indicated they were provided computer-based education during orientation and annually regarding health information privacy and security including the HIPAA law, PHI and securing mobile devices (laptops). Education also addressed breaches and steps taken when a breach occurred.

The Director of Quality Improvement and Patient Safety said physician/physician groups who were not employed by the PO were not required to complete the education.