Las Vegas Sun

March 28, 2024

UMC lacks way to log patients’ records

Health Division probe follows reported leaks of private data

UMC

Sam Morris

University Medical Center trauma unit’s “face sheets,” which contain patient data, are stored in an unlocked cabinet, a clerk told a State HealthDivision investigator.

Kathy Silver

Kathy Silver

University Medical Center has no system to track patient records, leading to numerous instances in which hospital paperwork containing Social Security numbers, birth dates and other private information goes missing, a state investigation has found.

The investigation was triggered by a Las Vegas Sun story revealing that patient records of traffic injury victims were being systematically leaked from UMC, allegedly to ambulance-chasing attorneys in search of clients. The breach, an apparent violation of federal law, is also being investigated by the FBI.

The Nevada State Health Division examined the public hospital’s methods for protecting patient privacy. It released its report Thursday.

Brian Brannman, UMC’s chief operating officer, said he disagreed with some of the findings, adding that the hospital is working on a corrective action plan to address the problems. He said the hospital would follow the formal process for responding to the state and would not engage in a blow-by-blow response to the report for the Sun.

The report comes as the Clark County Commission is considering transferring UMC to a nonprofit or finding some other financial model for the cash-strapped hospital. Commissioners have also called for an evaluation of the quality of care at the hospital.

After reading the report, Jeffrey Drummond, a Dallas attorney who specializes in helping hospitals comply with patient privacy laws, said it’s rare for a facility to take such a “cavalier” attitude toward securing sensitive information.

“This strikes me as pretty outrageous,” he said. “The lack of control over what’s going on in the hospital with regard to patient information, if this (report) is remotely true, seems outrageous.”

UMC’s director of medical records told the state investigator that upon admission to the emergency room, registration clerks usually print as many as five “face sheets” — file cover sheets that contain a patient’s name, birth date, Social Security number, address, insurance and next-of-kin information. The state’s review of 28 patient charts found six were missing face sheets.

“They come up missing all the time,” UMC’s director of medical records told the state. “If the face sheet isn’t in the bucket with the rest of the packet, medical records just prints another one when they reconcile the whole chart.”

The state investigator also heard inconsistent accounts from staff about where trauma records are stored and when they are moved. For example:

• A registration clerk in the trauma emergency room said four copies of a patient’s face sheet were printed upon admission, and more as necessary for doctors. “Once a face sheet leaves here, it can go anywhere,” the clerk said. Loose copies of face sheets were stored in an unlocked cabinet near the door, the clerk said.

• Neither the director of trauma services nor the medical records staff knew whether trauma emergency room patient records were stored in the same place as the adult services emergency room patients.

• There was no consensus among department supervisors regarding when patient records would be collected and who was authorized to do so. One employee in the records unit told state investigators she did not know where records from the previous day were located.

Drummond said a key to securing private information is to ensure that only people who need it have access to it. There also must be a system to track who has accessed the information, he said.

It’s a “big deal” not to be able to track such information because it could compromise medical records and lead to identity theft.

“Basically a whole bunch of face sheets are printed out and they’re left in a cabinet somewhere,” he said. “That’s such casual treatment of that information.”

Rory Reid

Rory Reid

Steve Sisolak

Steve Sisolak

The state investigation also flagged UMC for not taking adequate measures to inform the Clark County Commission — the board that oversees the hospital — so the data breaches could be addressed. Hospital administrators said in interviews that commissioners are involved only in making decisions about clinical operations, the report said, and there was no plan to take the issue to the elected officials.

Brannman, the hospital’s COO, said it’s not true that UMC didn’t keep the county informed. “Anytime something like this happens, we’re on the phone with the county manager and commissioners,” Brannman said.

Commission Chairman Rory Reid said he was disappointed by the report’s findings and that patients deserve privacy when they enter a hospital. He said UMC’s management needs to account for the problems.

Commissioner Steve Sisolak called the report “eye-opening” and noted that it highlights problems with management and oversight at UMC.

Asked if he was referring to Kathy Silver, the hospital’s CEO, Sisolak said the patient privacy problems at UMC have “brought a lot of things to light.”

“There’s a lot of questions about UMC, and we need to sit down with Kathy and have a discussion about those issues,” Sisolak said. “Definitely we’re at the point where that needs to be done.”

Washington, D.C., attorney Kirk Nahra, who also specializes in hospital privacy compliance, offered a more nuanced view of the report. There’s nothing in the document that directly relates to the leak of the face sheets originally reported in the Sun, he said, and even the most stringent privacy practices can’t stop an employee who wants to commit a criminal act.

A trauma center is a chaotic place where hospitals balance caring for the needs of patients with protecting their private information, Nahra said. The same kinds of problems reported by the state could be found in other emergency rooms, he said, though they should serve as a wake-up call to UMC.

Join the Discussion:

Check this out for a full explanation of our conversion to the LiveFyre commenting system and instructions on how to sign up for an account.

Full comments policy