HospitalInspections.org

Based on review of medical records, interviews with hospital staff, and review of hospital policies and procedures, it was determined that the hospital failed to ensure that medical records were kept private and stored securely from unauthorized access.

Findings include:

The hospital failed to assure the protection of patient ' s medical records were kept private and confidential and stored securely.

(Refer to C308 and C309.)

Based on interview and record review the hospital failed to ensure that patient medical information was kept private and confidential and stored securely to protect the records from unauthorized access.

Findings include:

Review of the police report on 5/5/11 dated 4/3/11 at 9:00 a.m., police were contacted that Staff C's, Physician Practice Administrator, vehicle had been broken into and a hospital owned computer tablet had been stolen. The vehicle had been broken into the night of 4/2/11. A quick search was conducted and nothing was noted to be missing. The car was in a parking garage without cameras. The next morning another search of the car was done and at that time the hospital owned tablet was noted to be missing.

Interview with Staff A stated that Staff C, did not report the loss of the hospital owned computer tablet to Staff A, CEO/President and/or Staff B, Director, Information Systems & HIM (Health Information Management) until 4/4/11 at 12:45 p.m. Staff A stated that the tablet was to be used on the hospital campus and there was no policy and procedure for mobile devices such as the tablet.

The tablet was synchronize with Staff C's desktop at the hospital and contained the same data. The tablet contained varying degrees of patient personal and clinical information, in which Staff C job description was allowed to have access to that medical health information.

Review of the breach summary report- Assessment of Loss, dated April 5, 11 revealed, File name: AR contains 7,322 records containing full patient name, account number, physician name and amount due;
File name: RAC InPT contains 211 records containing full patient name, medical record number, account number, date of service, ICD-9 codes,
File name: RAC Obser contains 112 records containing full patient name, medical record number, account number, date of service, ICD-9 codes.

Interview with Staff B, revealed that the protected health information was on the tablet's hard drive and that it was only protected by one password with no other encryption for portable devices.

Cross refer 309

Based on interviews the hospital failed to ensure that patient medical information was kept private, stored securely and confidential and not removed from hospitals grounds.
Findings Include:

Staff C had a confidentiality agreement which was signed on 6/23/09 that:
" ...9. I will tell my supervisor if I learn of any activity by any person, including myself, that is a violation of this agreement or any SMH information security or confidentiality policy ...
13. I will protect the privacy of out patients and employees.
15. I am responsible for protecting access to confidential information."


Review of the Policy titled Uses and Disclosures of Protected Health Information Effective: 3/03, last reviewed 1/08, and revised 1/05, on 5/5/11 under the section titled Records Location/Accessibility reveals that the " Hard copy medical records of all discharged inpatients, emergency department patients, observation patients, and day surgery patients are securely housed in the Health Information Department or in its off-site storage area ...Medical records are available for use within the hospital for the purposes of direct care and other health care operations by authorized SMH personnel."


Review of the policy on 5/5/11, titled Confidentiality-Administrative with an effective date of 4/03, reviewed 1/08 and revised 1/4/05 reveals the following: [name omitted]" is committed to maintaining the privacy of its patients, employees and medical staff... Each employee must seek to limit his use or disclosure to the minimum necessary in order to further the mission of the hospital. Care must be taken to avoid accidental or inadvertent violations of privacy."

Under the section Medical Records:

1. The Medical record is the property of [name omitted] ...
2. The medical recode shall not be removed from the hospital unless:
- in response to a properly executed subpoena/court order
- in the case of an evacuation of the facility in response to a disaster/fire
- in order to carry out a hospital business function that is not located on the hospital ' s property (i.e., outside microfilming or remote storage.)

3. All employees of [name omitted] shall be responsible for protecting patient information ..."


Under the Policy titled Internet Use & Security with an effective date of 4/03, reviewed 12/07 and revised 4/11. The policy is to provide Internet access to its employees for business use only. Access is granted by a case-by-case basis with the direct supervisor's approval.

Purpose is to minimize risk associated with Internet use.

Under The usage of the Internet is subject to the following:..
"Request of data over the internet by a vendor, customer, patient or Business Associate must be through a secure method/ and reviewed and approved by the Information Systems Department prior to data upload.
Users should never download files directly onto any Information Systems asset (e.g. ps, server, tablet, etc.). Downloads for those systems should be assisted by IS personnel or their designees."



Review of the policy on 5/5/11, titled Confidentiality-Administrative with an effective date of 4/03, reviewed 1/08 and revised 1/4/05 reveals the following: [name omitted]" is committed to maintaining the privacy of its patients, employees and medical staff... Each employee must seek to limit his use or disclosure to the minimum necessary in order to further the mission of the hospital. Care must be taken to avoid accidental or inadvertent violations of privacy."

Under the section Computer Information/Access: page 2
1. Computer access has made ..."Unauthorized release of confidential information is a serious breach of policy and is a cause for disciplinary action ..."
Review of the Policy titled Remote Access Security Policy on 5/5/11, page 5 under the section Sensitive Information on Laptops ..." Sensitive data should be saved on the network drive (not the hard drive) and should be restricted using appropriate access control ..."


Interview with Staff B on 5/5/11; reveal that the tablet did not have any encryption system other then the VPN access to get into the main network system and the standard Microsoft password to access the tablet. However all the protected health information had been downloaded onto the hard drive.

Cross refer 308