Facebook
Fark
Digg
Reddit
StumbleAt UMC, audits show privacy lapses are not new
Past county audits found shortcomings in HIPAA compliance
LAS VEGAS SUN FILE
UMC, owned by Clark County, is the region’s only public hospital.
Tuesday, Nov. 24, 2009 | 2 a.m.
Whom to contact
- UMC has set up a hotline. Call (888) 691-0772 if you have information regarding the possible leak of patient information, or if you are a former patient who has received unsolicited contact from an attorney's office.
Contact the Sun
- Accident patients who have been treated at UMC and contacted by legal representatives are invited to contact reporter Marshall Allen at 259-2330 or marshall.allen@lasvegassun.com.
Related Documents (.pdf)
- Download the UMC HIPAA Compliance Review
- Download the audit brief for the UMC HIPAA Compliance Review
- Download the audit follow-up findings recommendations and corrective actions taken
- Download the follow-up letter to Virginia Valentine regarding findings from the 2008 UMC HIPAA Security Rule review
- Download the letter to Kathy Silver regarding the audit
Sun Archives
- FBI looking at UMC records leak (11-21-2009)
- Hospital privacy leak could harm patients (11-20-2009)
- FBI, hospital in talks over leak of patient records (11-20-2009)
Sun Coverage
Beyond the Sun
- U.S. Department of Health & Human Services: Health Information Privacy
- University Medical Center of Southern Nevada
University Medical Center, facing a possible FBI investigation for allowing confidential patient information to be leaked to outsiders, has a spotty record of adhering to patient privacy laws, Clark County auditors have previously found.
Three county audits since June 2007 showed that although UMC employees are almost universally aware of the patient privacy policies mandated by the Health Insurance Portability and Accountability Act, better known as HIPAA, they have had a more difficult time with implementation.
Failure by the UMC workforce to comply with privacy safeguards “makes the hospital vulnerable” to compromising patient information, county auditors wrote Sept. 15.
“Each of these potential events presents a risk to patient safety, loss of customer confidence, while significant failures may result in federal and state investigations that can result in corrective actions and fines,” the auditors wrote.
The HIPAA requires medical facilities to closely guard patient information such as names, addresses, birth dates, Social Security numbers and diagnoses to protect patient privacy and prevent identity theft. The goal of the audits was to determine employees’ awareness of the hospital’s privacy policies, and their use of proper safeguards.
“We take all of these issues very seriously,” county spokesman Dan Kulin said. “That is why we have our audit department conduct these reviews, to identify issues that need to be corrected. And many of them have been.
“This is an ongoing process,” he said. “We will continue to review our compliance.”
Based on the reports it appears that the audits did not investigate the type of allegations that now plague UMC. The FBI is considering an investigation of UMC after hospital officials determined that someone had been leaking “face sheets” — cover sheets with private patient information — of car accident victims, allegedly so they could be used by ambulance-chasing attorneys to mine for clients.
The Sun was given 21 of the documents, dated Oct. 31 and Nov. 1, from a source concerned about the violation of patient privacy. The source — who obtained them from others in the medical community and did not know the initial source of the leak at UMC — believed that the face sheets for people injured in traffic accidents have been systematically released from the hospital for months, if not years.
UMC, owned by Clark County, is the only public hospital in Southern Nevada.
From August to November 2007 staff from the county’s audit department found a 73 percent compliance with turning charts toward a wall or using cover sheets to shield patient information from passers-by. Some chart labels were double-sided, which enabled them to be seen by bystanders.
There was an 81 percent compliance rate in properly disposing of private information in recycling bins and shredders, the report from the 2007 audit said. Patient paperwork was found in trash cans in 15 of 79 units. Patient records were left on counters, carts or in empty rooms in nine of 73 units.
From November 2007 to June 2008, auditors found nine of 31 departments with 100 percent compliance with HIPAA guidelines. In four departments, private patient information was found on paperwork in trash cans, in unlocked recycle bins or on a printer left unattended in a lobby during weekend and holiday periods. Six of 31 departments had offices or a nursing station unlocked and empty while containing sensitive, privileged information.
A Sept. 15 audit report, covering the period of October 2008 to May 2009, shows continued lapses at a time when the hospital had been working on its ongoing compliance with HIPAA. The overall compliance rate was 82 percent for the 29 departments reviewed, a decrease from 88 percent in the previous year’s audit. As in other audits, employees were generally aware of HIPAA guidelines, but in the September report the auditors observed several examples of noncompliance with safeguards:
• Three departments had unlocked recycling bins.
• In 11 of 29 departments unsecured health information was in open offices and nursing stations. Files left on counters and desks in areas presumed to be supervised were sometimes left alone.
• The staff in the patient accounts department was unable to encrypt outgoing e-mails that contained protected health information.
Discussion: comments so far…
Comments are moderated by Las Vegas Sun editors. Our goal is not to limit the discussion, but rather to elevate it. Comments should be relevant and contain no abusive language. Comments that are off-topic, vulgar, profane or include personal attacks will be removed. Full comments policy. Additionally, we now display comments from trusted commenters by default. Those wishing to become a trusted commenter need to verify their identity or sign in with Facebook Connect to tie their Facebook account to their Las Vegas Sun account. For more on this change, read our story about how it works and why we did it.
Only trusted comments are displayed on this page. Untrusted comments have expired from this story.
No trusted comments have been posted.
Post a comment
Most Popular
- Viewed
- Discussed
- E-mailed
- Chinese company agrees to finance proposed Henderson arena
- South Point owner Michael Gaughan’s take on ‘Vegas Stripped’: ‘I’ll give it an 8’
- Coolican: Henderson officials out of loop on police brutality case, raising red flags
- Romney says he prevented Massachusetts from becoming ‘the Las Vegas of gay marriage’
- See mug shots of 16 arrested in stolen-property police sting
- Criss Angel denies allegations of fight with fired employee
- UNLV eager to get on the court for big game against San Diego State
- Lumberjacks — ‘Where the Big Boys Eat’ — hiring for North Las Vegas location
- Berkley draws stark contrasts with Heller over immigration
- Conceptual design unveiled for Henderson Space and Science Center
Blogs
The Kats Report
Live color from the scene at Thomas & Mack Center: Was not putting money on that 9.5-point line a good idea?
South Point owner Michael Gaughan's take on 'Vegas Stripped': 'I'll give it an 8' (3 Comments)
Author relishes writing the life story of ‘larger-than-life’ Oscar Goodman (3 Comments)
Elsewhere
Landowner: All roads could lead to Uxbridge casino
Revel reveals smoke-free casino opening
Cirque du Soleil show in Sands China casino to close this month
Meet the woman behind Sheldon Adelson
The Sun
Locally owned and independent for more than 50 years.
The selling of face sheets is not a lapse: it is deliberate criminal conduct. It is one thing to not follow every proper protocol to protect patient information. It is another entirely for a rogue employee to surreptitiously take information and sell it.
This article is the coup de grace. It is a positive that UMC is auditing itself to improve its employees' compliance with HIPAA. The Sun has managed to take that positive and attempt to tie it to something that is an entirely different animal and thereby cast UMC in a bad light.
I will say it again. If the Sun were truly concerned about safeguarding the public, it would have held its story about the selling of information long enough for UMC and Metro to design a sting and expose the perpetrator(s). It is unfortunate that the Sun has chosen to allow the perpetrator(s) an opportunity to remain concealed in favor of grabbing headlines.
Actually, in this case it probably makes sense for Metro *not* to be the investigating agency, insofar as it (like UMC) is a partial creature of the County. It's far better to have an independent agency like the FBI looking into this, particularly since any referral or request for prosecution would be made to the Office of the U.S. Attorney, rather than county employee David Roger. Still, based on the published reports, it seems like there's a potential 1983 class action for someboday versus UMC and the County on behalf of all the patients whose privacy was violated.
I believe that the HIPAA violations have been ongoing for more than one year. I was taken to UMC(11/4/08) after a traffic accident. I think my ID was stolen during that 2hr ER visit. I was contacted by an unknown atty within 12hrs of discharge and an unknown insurance company telling me that the person involved in perpetrating the accident, was a "person of interest" in auto accident staging. That person WAS A KNOWN STAGER OF ACCIDENTS.Who said this is a new problem. I think it has been going on for years. This is not just Kathy Silver's problem, it goes to the core of healthcare fraud.