Hospital can’t account for keys to bins of patient records for shredding

By Marshall Allen

Friday, March 19, 2010 | 2:01 a.m.

After the Sun’s revelations of patient-confidentiality leaks at University Medical Center in November, hospital officials scrutinized operations and declared they had tightened patient privacy controls.

But state health authorities have discovered an unknown number of unidentified people have keys to locked bins at the hospital where patient information sheets are deposited for shredding.

UMC officials did not know who had keys to the bins, nor how many had been issued, according to a state Health Division report. Inspectors found four instances where people had been issued multiple keys without an explanation.

“In other words, there was no way to tell whether the additional keys were replacing lost or stolen keys or were simply a second set for those individuals, or passed on to someone else,” the report said.

UMC will need to appeal the report or provide a plan to address the violation. The hospital faces a fine of up to $400, a state official said.

Protecting patient privacy has been at the forefront of hospital operations nationwide since Congress passed the Health Insurance Portability and Accountability Act of 1996. Violations of HIPAA, as the act is known, can be investigated by the county district attorney, the state attorney general’s office or the U.S. attorney’s office. A person who violates a patient’s privacy with the intent to sell information can be fined up to $250,000 and imprisoned for up to 10 years.

Brian Brannman, UMC’s chief operating officer, said a third-party vendor is responsible for the hospital’s recycling bins and that UMC’s key policy does not address outside vendors. He is not sure the hospital has done anything wrong with regard to the bins, he said.

HIPAA requires hospitals to make “reasonable efforts” to protect patient data, Brannman said, and leaves specific methods open to interpretation. He said UMC was doing everything necessary to abide by HIPAA by keeping the bins inside locked rooms or in locations that were in the open and visible to others at all times. UMC’s precautions make it inconvenient if someone wanted to go “Dumpster diving” in the bins for patient information, he said.

As for the state report, Brannman dismissed the inspector’s notes as “anecdotal” and “that inspector’s opinion.”

The state inspector interviewed nine people to produce the report. UMC’s July 2007 key control policy showed that three employees had responsibility for the keys and locked bins — the hospital’s locksmith and the heads of public safety and plant operations.

UMC contracted in June 2008 with a third party for about 108 recycling bins and 100 keys, each of which could open all of the bins, the report said. According to the contract signed by UMC’s environmental services manager, 100 keys were assigned to her, but she told the inspector she received only 10 to 12 keys and could not explain why the contract she signed said she received 100 keys.

Most of the bins were stored in a locked closet, but some could not be accounted for, the report said.

A log produced by UMC employees showed that 53 people had keys.

According to UMC’s policy, the deputy chief of public safety and the locksmith were responsible for keeping tabs on whether keys were lost or stolen. The deputy chief failed to provide any data on keys that were lost or stolen, and the locksmith said key audits were not regular, the report said.

Brannman said he has 10 days to respond to the state’s report and it may be disputed.

Clark County Commissioner Steve Sisolak suggests that the hospital reduce the number of recycling boxes and install a shredder over each one, so the records are destroyed immediately.

“I think this is a pretty easy one to solve,” he said.