HospitalInspections.org

Based on interviews and documentation review, the Hospital failed to implement policies/procedures in a timely manner regarding the removal and transportation of paper or electronic protected health information (PHI; identifies a patient by name and contains information regarding the patient's past, present or future physical or mental condition, treatment or health care) or personal information (PI; such as social security number) from the Hospital.

Findings included:

It was reported that on 6/21/11 an external hard drive (HD #1) belonging to Hospitalist #1 that may have contained protected health information (PHI; identifies a patient by name and contains information regarding the patient's past, present or future physical or mental condition, treatment or health care) related to 566 patients from the Hospital was lost while Hospitalist #1 was traveling out of the country.

Hospitalist #1 was interviewed on 8/9/11 at 9:00 A.M. Hospitalist #1 said in June, 2011 he was preparing to spend the next 7 months providing medical care in other countries and packed portable storage devices including 2 external hard drives (HD #1 used/stored in January and HD #2). Hospitalist #1 said that on 6/21/11 he was in Mexico and took a taxi to meet medical students. Hospitalist #1 said he had approximately 6 pieces of luggage and when he arrived at his destination the students assisted in removing the luggage from the taxi. Hospitalist #1 said he counted the pieces of luggage, realized there was one piece of luggage left in the taxi and turned to retrieve the luggage, but the taxi pulled away. Hospitalist #1 said the luggage taken by the taxi driver contained one of his external hard drives and he thought it was HD #2. Hospitalist #1 said he contacted the Hospital's Help Desk to report the loss.

The Health Insurance Portability and Accountability Act (HIPAA) Compliance Project Manager was interviewed on 8/9/11 at 10:25 A.M. with the Director of Health Information Services (HIS) and the Executive Director of Risk Management present. The HIPAA Manager said on 6/21/11 Hospitalist #1's reported loss was conveyed to the Hospital's Information Security Officer (not available for an interview at the time of the survey) and to herself.

Review of the Hospital's education for medical staff indicated they were provided computer-based education during orientation and annually regarding health information privacy and security including the HIPAA law, PHI, securing mobile devices (laptops). Education also addressed breaches and steps taken when a breach occurred. The education was implemented in April, 2004, updated and revised as laws and policies were changed, and converted to electronic format in 2010.

Review of documentation provided by the Hospital indicated that medical staff were required to sign a confidentiality agreement that addressed accessing PHI and PI on a need-to-know basis and health information privacy.

Review of the Hospital's Policies/Procedures regarding protection of PHI and PI in effect at the time of the possible PHI breach included:
Review of Policies/Procedures regarding privacy and health information security in effect at the time of the potential PHI breach included:
1) The Mobile Device Policy effective 1/29/09 and the Laptop Encryption Policy effective 4/12/10 indicated mobile devices (such as laptops) and portable storage devices (such as flash drives and hard drives) must be encrypted or password protected.
2) The Safeguarding PHI Policy effective 1/10 and the Patient Confidentiality Policy effective 1/10 addressed procedures employees must follow when viewing (paper or computerized information), transmitting (via fax or electronically), photocopying (types of information that could not be photocopied) and/or accessing PHI as required with their job responsibilities.
3) The Investigative Guidelines for Reported Breach of Privacy of PHI Policy approved 11/18/10 that outlined the steps to be taken to address reported breaches of privacy.

Review of the above education and policies indicated limitations regarding removal and transportation of paper or electronic PHI and/or PI were not addressed.

The Hospital provided a Physical Removal and Transport of PHI and Personal Information Policy. The Policy, in draft form, included basic requirements for the physical removal or transport of PHI and/or PI in paper or electronic form from or within the Hospital. The Policy had not yet been implemented at the time of survey.

The Executive Director of Risk Management and the Director of Health Information Services (HIS) were interviewed throughout the Survey. They said policies were developed by the Hospital System (who had oversight of the Hospital) and were disseminated to the individual Hospitals who were responsible for reviewing and customizing the policy(s) to their Hospital. They said the policy(s) were then approved by the Hospital committees and implemented.

Based on interviews and documentation review the Hospital failed to ensure that: 1) staff were re-educated regarding the Hospital's policies/procedures related to privacy, security and encryption following the potential PHI breach; 2) communications regarding portable storage device encryption included all portable devices and communications were being acknowledged by staff who received them and 3) policies/procedures regarding the removal and transportation of paper or electronic protected health information (PHI or PI) were implemented.

Findings included:

1) The Hospitalist Program Director was interviewed on 8/5/11 at 12:05 P.M. The Hospitalist Director said the Hospitalists were required to hand-off reports to one another to ascertain continuity of care. The Hospitalist Director said the Hospitalist Signout document, a WORD document, was completed and stored in the Hospital's secure electronic information system.

Review of the Hospitalist Signout document indicated it contained sections to document the patient name, medical record number, primary and secondary diagnoses, a brief history, a brief plan, important pending tests, contingency plans/concerns, code status, and the primary care physician or other key providers and the status of communication with them. The document could hold information for up to 15 patients.

Hospitalist #1 was interviewed on 8/9/11 at 9:00 A.M. Hospitalist #1 said he owned a personal laptop computer, external hard drives and Universal Serial Bus (USB) flash drives. Hospitalist #1 said he was aware of the Hospital's requirements regarding encryption and that his laptop computer was encrypted. Hospitalist #1 said prior to this Incident he thought backing up information to an external drive from the encrypted laptop meant the information remained encrypted. Hospitalist #1 said it was his practice to frequently backup information from the laptop because he was concerned about loss of data. Hospitalist #1 said he downloaded and saved the Hospitalist Signout documents to his laptop so he would have the information readily available to refer to if contacted.

Hospitalist #1 said in January, 2011 he started to back up the folder containing the Signout documents with a newly purchased external hard drive (HD #1). Hospitalist #1 said the back-up took too long and after approximately 10 minutes he aborted the back-up, made the motion to erase it, then put HD #1 back into its original package and on a shelf in his home.

Hospitalist #1 said in June, 2011 he was preparing to spend the next 7 months providing medical care in other countries and packed portable storage devices including 2 external hard drives (HD #1 used/stored in January and HD #2). Hospitalist #1 said that on 6/21/11 he was in Mexico and took a taxi to meet medical students. Hospitalist #1 said he had approximately 6 pieces of luggage and when he arrived at his destination the students assisted in removing the luggage from the taxi. Hospitalist #1 said he counted the pieces of luggage, realized there was one piece of luggage left in the taxi and turned to retrieve the luggage, but the taxi pulled away. Hospitalist #1 said the luggage taken by the taxi driver contained one of his external hard drives and he thought it was HD #2. Hospitalist #1 said he contacted the Hospital's Help Desk to report the loss.

The Health Insurance Portability and Accountability Act (HIPAA) Compliance Project Manager was interviewed on 8/9/11 at 10:25 A.M. with the Director of Health Information Services (HIS) and the Executive Director of Risk Management present. The HIPAA Manager said on 6/21/11 Hospitalist #1's reported loss was conveyed to the Hospital's Information Security Officer (not available for an interview at the time of the survey) and to herself. The HIPAA Manager said Hospitalist #1 was contacted and was able to provide a receipt and the make/model number of the external hard drive thought to be lost. The HIPAA Manager said research determined the external hard drive reported missing was encrypted. The HIPAA Manager said the case was kept open several days to see if the piece of luggage was returned and then closed.

Hospitalist #1 said several days later he went through the remaining luggage and realized it was HD #1 that was lost. Hospitalist #1 said he immediately contacted the Information Security Officer and reported the external hard drive lost was not the one originally thought.

The HIPAA Compliance Project Manager said that on 7/1/11 the Information Security Officer was contacted by Hospitalist #1 who provided a receipt and make/model number for HD #1. The HIPAA Manager said research determined HD #1 was not encrypted. The HIPAA Manager said Hospitalist #1 reported the aborted back-up to the lost drive in January, 2011 and a new investigation was started.

Review of the Hospital's corrective actions indicated none of the post Incident electronic communications included reminders regarding the Hospital's policies/procedures related to privacy, security and encryption following the potential PHI breach.


2) The Policy titled Universal Serial Bus (USB; a portable storage drives) Drive Encryption was in process of implementation at the time of the survey. Electronic communications were sent out on 6/21/11, 7/13/11, 7/21/11 (in newsletter), 8/1/11 and 8/9/11 informing all staff to read the policy, who to contact to obtain approved encrypted devices and who to contact if there were any questions.

The communications did not address other portable storage devices such as external hard drives.

The Executive Director of Risk Management and the Director of Health Information Services (HIS) were interviewed as needed throughout the survey. They said the policy regarding external hard drive encryption was still at the Hospital System (who had oversight over the Hospital) level and had to be disseminated to the Hospital, customized to the the Hospital, and then implemented.

There was no mechanism in place to know if the electronic communications regarding USB flash drives were being acknowledged and acted upon.

The Executive Director of Risk Management confirmed there was no mechanism in place to ensure electronic communications regarding flash drive encryption were acknowledged and acted upon.


3) Please refer to A-0147.