At UMC, audits show privacy lapses are not new

Past county audits found shortcomings in HIPAA compliance

LAS VEGAS SUN FILE

UMC, owned by Clark County, is the region’s only public hospital.

By Marshall Allen (contact)

Tuesday, Nov. 24, 2009 | 2 a.m.

UMC has set up a hotline. Call (888) 691-0772 if you have information regarding the possible leak of patient information, or if you are a former patient who has received unsolicited contact from an attorney's office.

Accident patients who have been treated at UMC and contacted by legal representatives are invited to contact reporter Marshall Allen at 259-2330 or marshall.allen@lasvegassun.com.

FBI looking at UMC records leak (11-21-2009)
Hospital privacy leak could harm patients (11-20-2009)
FBI, hospital in talks over leak of patient records (11-20-2009)

More Sun health coverage

U.S. Department of Health & Human Services: Health Information Privacy
University Medical Center of Southern Nevada

University Medical Center, facing a possible FBI investigation for allowing confidential patient information to be leaked to outsiders, has a spotty record of adhering to patient privacy laws, Clark County auditors have previously found.

Three county audits since June 2007 showed that although UMC employees are almost universally aware of the patient privacy policies mandated by the Health Insurance Portability and Accountability Act, better known as HIPAA, they have had a more difficult time with implementation.

Failure by the UMC workforce to comply with privacy safeguards “makes the hospital vulnerable” to compromising patient information, county auditors wrote Sept. 15.

“Each of these potential events presents a risk to patient safety, loss of customer confidence, while significant failures may result in federal and state investigations that can result in corrective actions and fines,” the auditors wrote.

The HIPAA requires medical facilities to closely guard patient information such as names, addresses, birth dates, Social Security numbers and diagnoses to protect patient privacy and prevent identity theft. The goal of the audits was to determine employees’ awareness of the hospital’s privacy policies, and their use of proper safeguards.

“We take all of these issues very seriously,” county spokesman Dan Kulin said. “That is why we have our audit department conduct these reviews, to identify issues that need to be corrected. And many of them have been.

“This is an ongoing process,” he said. “We will continue to review our compliance.”

Based on the reports it appears that the audits did not investigate the type of allegations that now plague UMC. The FBI is considering an investigation of UMC after hospital officials determined that someone had been leaking “face sheets” — cover sheets with private patient information — of car accident victims, allegedly so they could be used by ambulance-chasing attorneys to mine for clients.

The Sun was given 21 of the documents, dated Oct. 31 and Nov. 1, from a source concerned about the violation of patient privacy. The source — who obtained them from others in the medical community and did not know the initial source of the leak at UMC — believed that the face sheets for people injured in traffic accidents have been systematically released from the hospital for months, if not years.

UMC, owned by Clark County, is the only public hospital in Southern Nevada.

From August to November 2007 staff from the county’s audit department found a 73 percent compliance with turning charts toward a wall or using cover sheets to shield patient information from passers-by. Some chart labels were double-sided, which enabled them to be seen by bystanders.

There was an 81 percent compliance rate in properly disposing of private information in recycling bins and shredders, the report from the 2007 audit said. Patient paperwork was found in trash cans in 15 of 79 units. Patient records were left on counters, carts or in empty rooms in nine of 73 units.

From November 2007 to June 2008, auditors found nine of 31 departments with 100 percent compliance with HIPAA guidelines. In four departments, private patient information was found on paperwork in trash cans, in unlocked recycle bins or on a printer left unattended in a lobby during weekend and holiday periods. Six of 31 departments had offices or a nursing station unlocked and empty while containing sensitive, privileged information.

A Sept. 15 audit report, covering the period of October 2008 to May 2009, shows continued lapses at a time when the hospital had been working on its ongoing compliance with HIPAA. The overall compliance rate was 82 percent for the 29 departments reviewed, a decrease from 88 percent in the previous year’s audit. As in other audits, employees were generally aware of HIPAA guidelines, but in the September report the auditors observed several examples of noncompliance with safeguards:

• Three departments had unlocked recycling bins.

• In 11 of 29 departments unsecured health information was in open offices and nursing stations. Files left on counters and desks in areas presumed to be supervised were sometimes left alone.

• The staff in the patient accounts department was unable to encrypt outgoing e-mails that contained protected health information.

Discussion: 5 comments so far…

Comments are moderated by Las Vegas Sun editors. Our goal is not to limit the discussion, but rather to elevate it. Comments should be relevant and contain no abusive language. Comments that are off-topic, vulgar, profane or include personal attacks will be removed. Full comments policy.

By Randy

Nov. 24, 2009

5:47 a.m.

Suggest removal

The selling of face sheets is not a lapse: it is deliberate criminal conduct. It is one thing to not follow every proper protocol to protect patient information. It is another entirely for a rogue employee to surreptitiously take information and sell it.

This article is the coup de grace. It is a positive that UMC is auditing itself to improve its employees' compliance with HIPAA. The Sun has managed to take that positive and attempt to tie it to something that is an entirely different animal and thereby cast UMC in a bad light.

I will say it again. If the Sun were truly concerned about safeguarding the public, it would have held its story about the selling of information long enough for UMC and Metro to design a sting and expose the perpetrator(s). It is unfortunate that the Sun has chosen to allow the perpetrator(s) an opportunity to remain concealed in favor of grabbing headlines.
By LasVegasLawyerGal

Nov. 24, 2009

8:49 a.m.

Suggest removal

Actually, in this case it probably makes sense for Metro *not* to be the investigating agency, insofar as it (like UMC) is a partial creature of the County. It's far better to have an independent agency like the FBI looking into this, particularly since any referral or request for prosecution would be made to the Office of the U.S. Attorney, rather than county employee David Roger. Still, based on the published reports, it seems like there's a potential 1983 class action for someboday versus UMC and the County on behalf of all the patients whose privacy was violated.
By healthsave

Dec. 28, 2009

1:31 p.m.

Suggest removal

I believe that the HIPAA violations have been ongoing for more than one year. I was taken to UMC(11/4/08) after a traffic accident. I think my ID was stolen during that 2hr ER visit. I was contacted by an unknown atty within 12hrs of discharge and an unknown insurance company telling me that the person involved in perpetrating the accident, was a "person of interest" in auto accident staging. That person WAS A KNOWN STAGER OF ACCIDENTS.Who said this is a new problem. I think it has been going on for years. This is not just Kathy Silver's problem, it goes to the core of healthcare fraud.