The information below comes from the statement of deficiencies compiled by health inspectors and provided to AHCJ by the Centers for Medicare and Medicaid Services. It does not include the steps the hospital plans to take to fix the problem, known as a plan of correction. For that information, you should contact the hospital, your state health department or CMS. Accessing the document may require you to file a Freedom of Information Request. Information on doing so is available here.

NEW YORK UNIVERSITY LANGONE MEDICAL CENTER 550 FIRST AVENUE NEW YORK, NY 10016 Oct. 26, 2015
VIOLATION: CONFIDENTIALITY OF MEDICAL RECORDS Tag No: A0441
Based on document review and staff interview, in 1 of 13 Medical Record (MR) reviewed, it was determined that the facility did not develop and implement an ordering system that would ensure: (a) proper acquisition of portable electronic devise, (b) safety and confidentiality of the patient's medical record (MR) content, which was stored in a portable electronic devise (Laptop) used by the Bronchoscopy Staff.


Findings include:

On 6/11/2015 the facility discovered that a laptop containing Patient Protected Health Information (PHI) was missing from the facility since January 28, 2015. Further investigation revealed that the PHI for patient MR #1, was stored in the Laptop device.
On 7/23/15 the facility informed the patient in a letter that the patient's name, medical record number, date of birth and CT (Computed Tomography) image were stored in the lost laptop.

The laptop containing the PHI for patient MR#1, was 1 (one) of 2 (two) laptops which were purchased in 2011 from a vendor, and was used for "mapping and care planning" in the Bronchoscopy Department.

These two laptops were confirmed last seen by the Bronchoscopy Staff on January 28, 2015, when Staff #7 delivered them to another location in the facility and placed them on top of a shredder. Thereafter, the laptops were never found again. The Bronchoscopy Staff did not discover the loss until several months later when a physician requested to use the laptop, on May 25, 2015.

At interview on 10/22/15 at 1:25pm, Staff #3, Chief Information Security Officer stated, the laptop containing the patient's PHI was verified as only password protected.

At Interview on 10/22/15, Staff # 8, Sr. Director Health Information Management, denied knowledge of the existence of the laptop as a means of recording patients' medical records. Staff # 8 also did not know of any PHI protection systems provided for the laptop. It was verified that PHI stored in the laptops were stored in the hardware of the device. The patient's care plan was completed using the laptop and then transferred to an associated computer's main tower through an "iron key /or USB". The information in the laptops were unencrypted and unprotected.

The facility also could not account for how many such unprotected, movable electronic medical records storage devices it had within its system and could not define the risk it had regarding security of patients' PHI's.