LAS VEGAS SUN FILE
Tuesday, Nov. 24, 2009 | 2 a.m.
Whom to contact
- UMC has set up a hotline. Call (888) 691-0772 if you have information regarding the possible leak of patient information, or if you are a former patient who has received unsolicited contact from an attorney's office.
Contact the Sun
- Accident patients who have been treated at UMC and contacted by legal representatives are invited to contact reporter Marshall Allen at 259-2330 or [email protected].
Related Documents (.pdf)
- Download the UMC HIPAA Compliance Review
- Download the audit brief for the UMC HIPAA Compliance Review
- Download the audit follow-up findings recommendations and corrective actions taken
- Download the follow-up letter to Virginia Valentine regarding findings from the 2008 UMC HIPAA Security Rule review
- Download the letter to Kathy Silver regarding the audit
- FBI looking at UMC records leak (11-21-2009)
- Hospital privacy leak could harm patients (11-20-2009)
- FBI, hospital in talks over leak of patient records (11-20-2009)
University Medical Center, facing a possible FBI investigation for allowing confidential patient information to be leaked to outsiders, has a spotty record of adhering to patient privacy laws, Clark County auditors have previously found.
Three county audits since June 2007 showed that although UMC employees are almost universally aware of the patient privacy policies mandated by the Health Insurance Portability and Accountability Act, better known as HIPAA, they have had a more difficult time with implementation.
Failure by the UMC workforce to comply with privacy safeguards “makes the hospital vulnerable” to compromising patient information, county auditors wrote Sept. 15.
“Each of these potential events presents a risk to patient safety, loss of customer confidence, while significant failures may result in federal and state investigations that can result in corrective actions and fines,” the auditors wrote.
The HIPAA requires medical facilities to closely guard patient information such as names, addresses, birth dates, Social Security numbers and diagnoses to protect patient privacy and prevent identity theft. The goal of the audits was to determine employees’ awareness of the hospital’s privacy policies, and their use of proper safeguards.
“We take all of these issues very seriously,” county spokesman Dan Kulin said. “That is why we have our audit department conduct these reviews, to identify issues that need to be corrected. And many of them have been.
“This is an ongoing process,” he said. “We will continue to review our compliance.”
Based on the reports it appears that the audits did not investigate the type of allegations that now plague UMC. The FBI is considering an investigation of UMC after hospital officials determined that someone had been leaking “face sheets” — cover sheets with private patient information — of car accident victims, allegedly so they could be used by ambulance-chasing attorneys to mine for clients.
The Sun was given 21 of the documents, dated Oct. 31 and Nov. 1, from a source concerned about the violation of patient privacy. The source — who obtained them from others in the medical community and did not know the initial source of the leak at UMC — believed that the face sheets for people injured in traffic accidents have been systematically released from the hospital for months, if not years.
UMC, owned by Clark County, is the only public hospital in Southern Nevada.
From August to November 2007 staff from the county’s audit department found a 73 percent compliance with turning charts toward a wall or using cover sheets to shield patient information from passers-by. Some chart labels were double-sided, which enabled them to be seen by bystanders.
There was an 81 percent compliance rate in properly disposing of private information in recycling bins and shredders, the report from the 2007 audit said. Patient paperwork was found in trash cans in 15 of 79 units. Patient records were left on counters, carts or in empty rooms in nine of 73 units.
From November 2007 to June 2008, auditors found nine of 31 departments with 100 percent compliance with HIPAA guidelines. In four departments, private patient information was found on paperwork in trash cans, in unlocked recycle bins or on a printer left unattended in a lobby during weekend and holiday periods. Six of 31 departments had offices or a nursing station unlocked and empty while containing sensitive, privileged information.
A Sept. 15 audit report, covering the period of October 2008 to May 2009, shows continued lapses at a time when the hospital had been working on its ongoing compliance with HIPAA. The overall compliance rate was 82 percent for the 29 departments reviewed, a decrease from 88 percent in the previous year’s audit. As in other audits, employees were generally aware of HIPAA guidelines, but in the September report the auditors observed several examples of noncompliance with safeguards:
• Three departments had unlocked recycling bins.
• In 11 of 29 departments unsecured health information was in open offices and nursing stations. Files left on counters and desks in areas presumed to be supervised were sometimes left alone.
• The staff in the patient accounts department was unable to encrypt outgoing e-mails that contained protected health information.