HospitalInspections.org

Bringing transparency to federal inspections

PALOMAR HEALTH DOWNTOWN CAMPUS

555 EAST VALLEY PARKWAY

ESCONDIDO, CA 92025

PROTECTING PATIENT RECORDS

Tag No.: A0441

Based on interview and record review, the facility failed to ensure a registered nurse (RN 1) followed the facility's policy to safeguard patient PHI (protected health information) when RN 1 copied PHI for 637 (six hundred and thirty seven) patients to an unsecured device. As a result of this violation, the PHI of 637 patients placed on an unsecured, unauthorized device by RN 1, was put at risk when stolen from the front seat of her car parked in her driveway.

The facility also failed to ensure 1 sampled staff person (RN 1) and 4 of 5 randomly sampled staff persons (SP 1, 2, 3, 4 and 5) signed a User Agreement for a laptop computer issued to the staff per their policy and procedure. As a result, the facility was unable to provide documentation to show that staff had read and signed the agreement indicating they were aware of the policies and procedures for safeguarding patient PHI when using facility laptops and portable devices.

Findings:

1. On 3/28/14, the Department of Public Health (Department) was notified via fax by the facility's outside legal counsel, that on 2/22/14, the facility learned two flash drives (a portable device used to copy and store information from a computer) were stolen from the vehicle of RN 1.

A telephone interview was conducted with the facility Privacy Officer (PO) on 4/3/14 at 11A.M. The PO stated the theft of the PHI occurred at the home of RN 1. The PO further stated RN 1 was not authorized to take the PHI home.

An onsite interview was conducted at the facility on 4/8/14 at 10:35 A.M., with the Director of Information Technology (DIT), the Manager of Information Security (MIS) and the PO.

According to the DIT, she was notified by the MIS on 2/22/14 at 5:36 A.M., RN 1 reported her laptop computer was stolen from her car. The DIT stated she was not aware that two flash drives were also stolen until she received an email with an attached police report sent by RN 1 on 2/22/14 at 8:56 A.M. The DIT then called RN 1 who verified there could be patient PHI on the flash drives that were stolen.

The DIT further stated she ran a facility program which would detect if patient PHI was on the flash drives. The DIT stated, "It appeared to have PHI. There were patient names, orders and things you would consider to be PHI."

The DIT provided the facility policy, revised 4/12, titled Computer Systems Usage at [Facility]. According to the policy, "Employee and authorized non-employees are responsible to follow PC (personal computer)/Laptop and Portable Device Access and Appropriate Usage Standards procedure as applicable."

According to the facility policy, dated 1/5/12, titled PC/Laptop and Portable Device Access and Appropriate Usage, "Always use shared network drives to store confidential or sensitive data..." and, "Laptops should never be left unattended in a vehicle."

The DIT stated the prohibited use of flash drives was also reviewed in the facility Annual Safety Competencies. In addition, she stated staff could not pass the Annual Safety Exam until they had correctly answered the question related to the use of flash drives.

The PO was interviewed on 4/8/14 at 11:15 A.M. The PO provided the Annual Safety Competencies completed by RN 1 for 2/2009, 2/2010, 2/2011, 2/2012, 2/2013 and 1/2014. The PO also stated the Privacy Office did not give RN 1 permission to take patient PHI home.

RN 1 was interviewed on 4/8/14 at 12:50 P.M. According to RN 1, she left the two flash drives, along with a facility issued computer laptop, in her work bag on the floor of her car, parked in her driveway overnight. RN 1 stated when she came out to her car the next morning on 2/22/14 at 5:45 A.M., the workbag was missing.

According to RN 1, she had been the Nursing Informatics Manager since October 2011. RN 1 stated as Nurse Informatics Manager, she would download various reports to include medication compliance reports and chart audits. In addition, she downloaded emails with PHI to unencrypted (a process of encoding information in such a way that only authorized parties can read it) personal flash drives without permission from the Privacy Officer. RN 1 stated she did not tell anyone she downloaded patient PHI to her flash drive. RN 1 acknowledged it was, "inappropriate" for her to copy patient PHI to her flash drives saying, "I didn't connect the dots."

According to RN 1, she began copying information to one flash drive five years ago, but when that flash drive stopped working properly, "I made a copy of the old one to a new one." RN 1 stated she kept the broken flash drive which contained patient PHI because, "I didn't know what to do with it." She further stated she did not seek advice from her Supervisor or Information Technology department because, "It didn't cross my mind." RN 1 stated she did not secure the two flash drives in her office because she traveled to all three health care facilities.

As a result of the failure of RN 1 to adhere to the policies and procedures of the facility regarding the protection of medical records, the PHI for 637 patients was placed at an avoidable risk for theft and loss.

2. On 4/8/15, during an investigation of a breach of PHI that occurred on 2/22/14, the facility provided the policy, dated 1/5/12, PC/Laptop and Portable Device Access and Appropriate Usage. According to the policy, "PC Tech issuing the [Facility] device will notify staff that they are to read and sign understanding of the PC/Laptop and Portable Device Security and User Agreement form; once completed, the form is to be sent to the Information Security Office."

The facility also provided the current User Agreement, titled PC and Mobile/Portable Device Security and User Agreement. Per the User Agreement, "All individuals granted access to and/or use of facility PC and/or Mobile/Portable Devices must agree to abide by the requirements set forth in this agreement." The agreement further indicated, "You will NEVER: Leave your [Facility] Mobile/Portable Device(s) unattended. Leave your [Facility] Mobile/Portable Device(s) in a vehicle. Store files that contain patient or other [Facility confidential information... on ANY removable devices (such as a... flash drive)..." and "You will ALWAYS: Ensure the PC and/or Mobile/Portable Device(s) is/are PHYSICALLY SECURE AND NEVER LEFT UNATTENDED."

On 4/8/15 at 1:10 P.M., RN 1 stated during an interview she did not sign a User Agreement for the laptop computer that was stolen.

On 4/8/15 at 1:30 P.M., the DIT was interviewed. According to the DIT, there were about 450 staff on the list who had been issued a PC and/or a mobile/portable device by the facility. However, there were no dates on the list to indicate when the devices were issued.

Five employees were randomly selected from the list. Four of the 5 employees (SP 1, 2, 3, and 4), did not have a signed User Agreement on file. One employee (SP 5) had a User Agreement dated 12/11/09. The DIT stated she was also unable to find a signed copy of RN 1's User Agreement for her stolen laptop computer.

According to the DIT, the PC Techs began obtaining User Agreements from staff in 2012. The DIT stated the facility did not go back to obtain User Agreements from staff issued devices prior to 2012; however the DIT was unable to explain why there was a signed User Agreement from 2009. The DIT further stated staff received annual training that included how to protect PHI, and were responsible for following the facility policy whether or not a User Agreement was signed.

The facility did not have documentation that staff read and signed an agreement to safeguard patient PHI stored on facility PC and Mobile/Portable Device equipment issued to the employee, per facility policy.