HospitalInspections.org

Based on review of hospital documentation, review of policies and documentation, and interviews with staff, the Condition of Governing Body has not been met as evidenced by the hospital's failure to ensure that services performed under contract were performed in a safe and effective manner. The finding includes:
For 2,097 patients who received treatment at the hospital between 2009 and 2011, their personal health information was not protected when an unencrypted laptop computer containing personal health information was stolen from a contracted service and/or staff member of the contracted service.

Please refer to A84.

Based on review of facility documentation, review of facility policies and interviews, the Hospital failed to ensure that a contracted service adequately safeguarded the protected health information (PHI) of 2,097 patients. The finding includes:
Facility documentation dated 8/13/12 identified that Patients #11 through #20 and 2,087 additional patients had received treatment at the facility from 2009 to 2011 related to their diagnosis of congestive heart failure (CHF). A contract between the Facility and Corporation #1 dated 12/28/11 identified that Corporation #1 would analyze patient data to improve patient outcomes, reduce re-admissions and discover additional insights. Facility documentation dated 8/13/12 identified that on or about 6/6/12, an employee of Corporation #1 had his/her unencrypted laptop computer stolen. The laptop computer contained PHI (social security number, birth date, diagnosis etc.) of Patients #11 through #20 and the PHI of 2,087 additional patients. Interview with the Facility Deputy General Council on 8/30/12 at 1:00 PM indicated that it was Corporation #1's policy to ensure that every computer was encrypted and that following the breach, Corporation #1 had found other laptop computers that were not encrypted. The Facility Deputy General Council on 8/30/12 at 1:00 PM noted that although the facility had an informal contract policy, the facility developed a written contract policy dated July 2012 to include a pre-contract evaluation and questionnaire for vendors to better ensure patient privacy and security.

Based on review of hospital documentation, review of policies and documentation, and interviews with staff, the Condition of Patient Rights has not been met as evidenced by the hospital's failure to protect and promote each patient's right's. The finding includes:

For 2,097 patients who received treatment at the hospital between 2009 and 2011, their personal health information was not protected when an unencrypted laptop computer containing personal health information was stolen from a contracted service and/or staff member of the contracted service.
Please refer to A147.

Based on review of facility documentation, review of facility policies and interviews, the hospital failed to ensure that protected health information (PHI) was adequately safeguarded. The finding includes:
Facility documentation identified that Patients #11 through #20 had received treatment at the facility during 2009 to 2011 related to their diagnosis of congestive heart failure (CHF). The contract with Corporation #1 dated 12/28/11 identified a goal to seek out and provide analytical insight related to CHF to improve patient outcomes, reduce re-admissions and discover additional insights. The contract further indicated that Corporation #1 would make all data needed available to Subsidiary #1 to solve selected problems. Facility documentation dated 8/13/12 identified that on or about 6/6/12, patient data was transferred to a Corporation #1 server by the facility. The facility documentation also noted that on 6/22/12, a Data Scientist from Corporation #1's subsidiary brought a laptop computer home. The laptop was unencrypted, contained PHI (social security number, birth date, diagnosis etc.) of Patients #11 through #20 and the laptop was stolen from the Data Scientist's home. Interview with the Facility Deputy General Council on 8/30/12 at 1:00 PM noted that the stolen laptop computer also contained, in part, the PHI of 2,087 additional patients who had received treatment related to CHF at the facility during 2009 to 2011. S/he further indicated that although the information sent to Corporation #1's server was encrypted, the stolen laptop was not encrypted and it was Corporation #1's policy to ensure that every computer was encrypted. The Facility Deputy General Council on 8/30/12 at 1:00 PM indicated that the facility did not have a policy or procedure in place (at the time of the breach) to ensure the safety and confidentiality of PHI once the information was transferred to a contracted vendor. The facility policy for patient rights identified that the patient had the right to personal privacy and confidentiality. Subsequent to the event, the facility developed a contract policy and procedure dated July 2012 to include a pre-contract questionnaire for vendors to better ensure patient privacy and security.