Texas Health Arlington Memorial Hospital breach notice

I finally tracked down an explanation for a breach entry in HHS’s breach tool that read:

Texas Health Arlington Memorial Hospital,TX,, 654, 12/23/2010,Unknown ,Electronic Medical Record,,

I had reported it on this blog last week, but here’s the undated notice that explains it:

Texas Health Arlington Memorial Hospital is notifying our patients about a breach of personal health information. After completion of the investigation and review of the facts, we believe that there is no potential harm of identity theft or financial fraud to you due to the intended purpose of the disclosure. The breach was discovered on January 26, 2011.

Texas Health Arlington has been in the process of converting information systems and processes to the same system standards used at other Texas Health hospitals. On December 23, 2010 the information services department turned on a switch between Texas Health Arlington and SandlotConnect, a health information exchange. The switch allows health information to go to SandlotConnect after patients sign an authorization form and the patients’ accounts are marked to permit the exchange of information.

It was determined that there were two issues: (1) the SandlotConnect authorization form was not presented to patients at the time of registration as Texas Health Arlington employees were not aware that the switch had been turned on and (2) the registration employees were marking patients’ accounts incorrectly.

The information disclosed to SandlotConnect included the following elements: name, address, date of birth, social security number, account number, medical record number, insurance information, and dates of service. In addition, the categories of health information as indicated below may have been sent: Lab Results, Radiology Results, Problems, Procedures, Transcribed Reports, Medications, and/or Allergies.

Since notification of the event, we turned off the switch so that no further health information would be sent, marked each affected patients’ account as not participating in the health information exchange, and worked with Sandlot to shield the information from being further used or disclosed. In addition, Texas Health Arlington registration employees received additional training on the SandlotConnect health information exchange processes. Information services has modified their implementation process for the health information exchange and trained their employees on it.

We also reviewed audit trail reports and determined that the majority of accounts were accessed by Sandlot employees in order to shield the affected patients’ health information. However, some SandlotConnect accounts were accessed by authorized health care providers for treatment purposes.

After completing the investigation and reviewing the facts, Texas Health Arlington believes that there is no potential harm of identity theft or financial fraud to you due to the intended purpose of SandlotConnect – continuity of care by authorized users of the health information exchange.

Texas Health has trained staff available to take calls if you have questions related to the incident. You may call this number, 1-800-227-3597, from 8:00 a.m. to 5:00 p.m. Monday through Friday. Please review the Sequence of Events document for additional information.

No one from any Texas Health entity will be contacting you or asking you to confirm any of the information that was involved in the incident. Please be alert to such calls and do not provide any personal information to the caller.

Texas Health Arlington takes very seriously our role of safeguarding your personal information and using and disclosing it in the appropriate manner. Texas Health regrets any stress and worry this situation has caused. ?
Sequence of Events

What happened?

Texas Health Arlington has been in the process of converting information systems and processes to the same system standards used at other Texas Health hospitals. On December 23, 2010 the information services department turned on a switch between Texas Health Arlington and SandlotConnect, a health information exchange. The switch allows health information to go to SandlotConnect after patients sign an authorization form and the patients’ accounts are marked to permit the exchange of information.

It was determined that there were two issues: (1) the SandlotConnect authorization form was not presented to patients at the time of registration as Texas Health Arlington employees were not aware that the switch had been turned on and (2) the registration employees were marking patients’ accounts incorrectly.

Another finding was that some patients already had their accounts marked to participate in the exchange due to a previous visit at another Texas Health hospital where they had authorized their the exchange to SandlotConnect. However, it is our practice for patients to have the opportunity at each visit to a Texas Health hospital to decide whether they want to participate or not in the health information exchange.

The causes of the incident were due to employee training issues, and the lack of communication and follow-up between the employees involved in the implementation of the health information exchange switch for Texas Health Arlington.

Information about Sandlot

Sandlot is a division of North Texas Specialty Physicians. The SandlotConnect Health Information Exchange allows physicians, hospitals and clinics to share medical records from various providers. This allows physicians to avoid duplicate medical procedures for patients. Physicians can look up information such as test results and medication histories to provide continuity of care.

The health information exchange has 1.5 million patients among five counties in Texas. In addition to Tarrant, the counties include Dallas, Erath, Johnson and Parker.

This website provides more information about SandlotConnect – http://sandlotsolutions.com. If you wish to call and speak to someone at Sandlot directly, please contact the compliance officer, Vera Blanc, at 817-810-5237.

What steps have been taken by Texas Health Arlington and Sandlot?

Since notification of the event, we turned off the switch so that no further health information would be sent, marked each affected patients’ account as not participating in the health information exchange, and worked with Sandlot to shield the information from being further used or disclosed. In addition, Texas Health Arlington registration employees received additional training on the SandlotConnect health information exchange processes. Information services has modified their implementation process for the health information exchange and trained their employees on it.

We also reviewed audit trail reports and determined that the majority of accounts were accessed by Sandlot employees in order to shield the affected patients’ health information. However, some SandlotConnect accounts were accessed by authorized health care providers for treatment purposes.

[…]

Read more on TexasHealth.org