HospitalInspections.org

Bringing transparency to federal inspections

NYU LANGONE HOSPITALS

550 FIRST AVENUE

NEW YORK, NY 10016

PROTECTING PATIENT RECORDS

Tag No.: A0441

Based on document review and staff interview, in 1 of 13 Medical Record (MR) reviewed, it was determined that the facility did not develop and implement an ordering system that would ensure: (a) proper acquisition of portable electronic devise, (b) safety and confidentiality of the patient's medical record (MR) content, which was stored in a portable electronic devise (Laptop) used by the Bronchoscopy Staff.


Findings include:

On 6/11/2015 the facility discovered that a laptop containing Patient Protected Health Information (PHI) was missing from the facility since January 28, 2015. Further investigation revealed that the PHI for patient MR #1, was stored in the Laptop device.
On 7/23/15 the facility informed the patient in a letter that the patient's name, medical record number, date of birth and CT (Computed Tomography) image were stored in the lost laptop.

The laptop containing the PHI for patient MR#1, was 1 (one) of 2 (two) laptops which were purchased in 2011 from a vendor, and was used for "mapping and care planning" in the Bronchoscopy Department.

These two laptops were confirmed last seen by the Bronchoscopy Staff on January 28, 2015, when Staff #7 delivered them to another location in the facility and placed them on top of a shredder. Thereafter, the laptops were never found again. The Bronchoscopy Staff did not discover the loss until several months later when a physician requested to use the laptop, on May 25, 2015.

At interview on 10/22/15 at 1:25pm, Staff #3, Chief Information Security Officer stated, the laptop containing the patient's PHI was verified as only password protected.

At Interview on 10/22/15, Staff # 8, Sr. Director Health Information Management, denied knowledge of the existence of the laptop as a means of recording patients' medical records. Staff # 8 also did not know of any PHI protection systems provided for the laptop. It was verified that PHI stored in the laptops were stored in the hardware of the device. The patient's care plan was completed using the laptop and then transferred to an associated computer's main tower through an "iron key /or USB". The information in the laptops were unencrypted and unprotected.

The facility also could not account for how many such unprotected, movable electronic medical records storage devices it had within its system and could not define the risk it had regarding security of patients' PHI's.