Las Vegas Sun

February 11, 2012

Currently: 56° | Complete forecast | Log in

UMC:

Hospital can’t account for keys to bins of patient records for shredding

Image

Tiffany Brown

University Medical Center, which is Clark County’s only publicly funded hospital.

By

Friday, March 19, 2010 | 2:01 a.m.

Related Document (.pdf)

Sun Archives

After the Sun’s revelations of patient-confidentiality leaks at University Medical Center in November, hospital officials scrutinized operations and declared they had tightened patient privacy controls.

But state health authorities have discovered an unknown number of unidentified people have keys to locked bins at the hospital where patient information sheets are deposited for shredding.

UMC officials did not know who had keys to the bins, nor how many had been issued, according to a state Health Division report. Inspectors found four instances where people had been issued multiple keys without an explanation.

“In other words, there was no way to tell whether the additional keys were replacing lost or stolen keys or were simply a second set for those individuals, or passed on to someone else,” the report said.

UMC will need to appeal the report or provide a plan to address the violation. The hospital faces a fine of up to $400, a state official said.

Protecting patient privacy has been at the forefront of hospital operations nationwide since Congress passed the Health Insurance Portability and Accountability Act of 1996. Violations of HIPAA, as the act is known, can be investigated by the county district attorney, the state attorney general’s office or the U.S. attorney’s office. A person who violates a patient’s privacy with the intent to sell information can be fined up to $250,000 and imprisoned for up to 10 years.

Brian Brannman, UMC’s chief operating officer, said a third-party vendor is responsible for the hospital’s recycling bins and that UMC’s key policy does not address outside vendors. He is not sure the hospital has done anything wrong with regard to the bins, he said.

HIPAA requires hospitals to make “reasonable efforts” to protect patient data, Brannman said, and leaves specific methods open to interpretation. He said UMC was doing everything necessary to abide by HIPAA by keeping the bins inside locked rooms or in locations that were in the open and visible to others at all times. UMC’s precautions make it inconvenient if someone wanted to go “Dumpster diving” in the bins for patient information, he said.

As for the state report, Brannman dismissed the inspector’s notes as “anecdotal” and “that inspector’s opinion.”

The state inspector interviewed nine people to produce the report. UMC’s July 2007 key control policy showed that three employees had responsibility for the keys and locked bins — the hospital’s locksmith and the heads of public safety and plant operations.

UMC contracted in June 2008 with a third party for about 108 recycling bins and 100 keys, each of which could open all of the bins, the report said. According to the contract signed by UMC’s environmental services manager, 100 keys were assigned to her, but she told the inspector she received only 10 to 12 keys and could not explain why the contract she signed said she received 100 keys.

Most of the bins were stored in a locked closet, but some could not be accounted for, the report said.

A log produced by UMC employees showed that 53 people had keys.

According to UMC’s policy, the deputy chief of public safety and the locksmith were responsible for keeping tabs on whether keys were lost or stolen. The deputy chief failed to provide any data on keys that were lost or stolen, and the locksmith said key audits were not regular, the report said.

Brannman said he has 10 days to respond to the state’s report and it may be disputed.

Clark County Commissioner Steve Sisolak suggests that the hospital reduce the number of recycling boxes and install a shredder over each one, so the records are destroyed immediately.

“I think this is a pretty easy one to solve,” he said.

Discussion: comments so far…

Comments are moderated by Las Vegas Sun editors. Our goal is not to limit the discussion, but rather to elevate it. Comments should be relevant and contain no abusive language. Comments that are off-topic, vulgar, profane or include personal attacks will be removed. Full comments policy. Additionally, we now display comments from trusted commenters by default. Those wishing to become a trusted commenter need to verify their identity or sign in with Facebook Connect to tie their Facebook account to their Las Vegas Sun account. For more on this change, read our story about how it works and why we did it.

Only trusted comments are displayed on this page. Untrusted comments have expired from this story.

No trusted comments have been posted.

Post a comment

Commenting requires registration.

Comments are moderated by Las Vegas Sun editors. Our goal is not to limit the discussion, but rather to elevate it. Comments should be relevant and contain no abusive language. Comments that are off-topic, vulgar, profane or include personal attacks will be removed. Full comments policy.

If you would like to submit your comment as a letter to the editor, you may submit it here.

Most Popular

  • Viewed
  • Discussed
  • E-mailed
  • Facebook