Gavin Lesnick reports:
UAMS is notifying about 1,500 patients that a former resident doctor who was fired in 2010 improperly kept medical records containing some personal information.
The hospital said in a statement that the doctor violated policy when she kept documents containing information including patient names, partial addresses, medical record numbers, dates of birth, diagnoses, medications and laboratory results. The documents were from January through June 2010.
Read more on Arkansas Online.
UAMS has named the resident, although they would not say why Nasrin Fatem was fired. The Arkansas News Bureau provides some additional details on the breach and the federal lawsuit against UAMS:
UAMS said it became aware of the breach on Oct. 9, when Fatemi produced the documents as part of a federal lawsuit she filed against the university hospital regarding her termination. On Nov. 7, UAMS became aware that additional documents she kept had been provided to UAMS attorneys on June 25, officials said.
So UAMS actually learned of the breach on June 25 but did not notify anyone until five months later? Under HITECH, if the records were protected by a court order and the resident had assured UAMS that there had been no disclosure to anyone other than lawyers involved in her lawsuit, perhaps they felt that there was no significant risk of harm that would trigger breach notification? Or perhaps their lawyers didn’t notify the HIPAA Privacy team back in June? It’s not clear.
Here is the text of the notice UAMS posted on their site, although it is not prominently linked from their home page. One of the things that is not clear in the notice is how the resident managed to take these records with her. Were these electronic files that she stored on a flash drive or copies of paper records or…?
The University of Arkansas for Medical Sciences has discovered a breach of patient information, which resulted when a resident physician impermissibly kept notes and lists containing patient information after leaving UAMS.
This website has been set up to answer some questions that patients and the public may have. We are sorry this happened and want to make sure you have all of the information you may need to protect your health information, in the event your information was involved.
Was my information involved?
UAMS is notifying patients who were affected by this breach via mail. If you do not receive a letter from us and you have maintained a current address with UAMS, it is unlikely that your information was involved. However, if you were a patient at UAMS who had surgery or was seen by a neurosurgeon from January 2010 to June 2010, you may call the UAMS toll-free hotline to find out whether your information was included. That number is 888-729-2755.What information was involved?
For some patients, only demographic information such as name, address, date of birth, medical record number, and date of service was included in the information. For other patients, some or all of the following additional information was included: ages, locations of care, dates of service, diagnoses, medications, surgical and other procedure names, and lab results.Why did the resident keep this information and who else has seen it?
UAMS does not allow its employees, including residents, to keep medical record information after leaving UAMS, and we are not sure why this resident kept all of this information. She informed us that she intended to use some of it for research, but assured us that she had not actually done research on the data. She also used some of the information in her lawsuit against UAMS, which is a lawsuit regarding her termination from UAMS. She assured us that she did not share this information with anyone other than her attorney. UAMS’s attorneys have also seen these document. Both the residents’ attorneys and UAMS’s attorneys have Business Associate Agreements that ensure they protect the confidentiality of this information. There is also a court order in place to ensure these documents remain confidential.What are the risks to my information?
The risk is that this former resident may have used this information for purposes not allowed by HIPAA, such as research or in her lawsuit against UAMS. There is also a risk that others, such as the attorneys involved, may see documents containing medical information to which they would not normally have access and learn about your medical condition.I am worried about identity theft. Does this incident put me at risk?
The information that was included did not include any social security numbers. There was no financial information like a bank account number. The former UAMS physician and the attorneys involved are not individuals we would be concerned with attempting to steal patient identities, so we have determined that there is not a risk of financial harm as a result of this breach. However, if you are worried about identity theft, we recommend that you contact the three credit reporting agencies to obtain a copy of your credit report and also to place a fraud alert on your file.Experian
PO Box 9530
Allen, TX 70513
www.experian.com
1-888-397-3742Trans Union
PO Box 6790
Fullerton, CA 92834
www.TransUnion.com
1-800-888-4213Equifax
PO Box 740241
Atlanta, GA 30374
www.Equifax.com
1-800-685-1111How did this happen?
We are sorry that this incident occurred. UAMS has policies in place to prevent medical record information from leaving the premises and being used for purposes other than those allowed by law. The former resident involved did not follow these policies.Doesn’t UAMS have ways to protect my information?
UAMS works very hard to keep our patients’ information secure. We have written policies to protect patient information and a HIPAA Team dedicated to ensuring that all possible steps are taken to guard your protected health information. Employees who do not follow these policies are disciplined.What is being done in response to this?
UAMS is working hard to make sure your information is protected and that incidents like this do not happen again. UAMS has self-reported this incident to the Office for Civil Rights, which is the federal agency that enforces HIPAA. They will conduct an investigation into this matter as well. We are conducting additional training of our workforce members, to help ensure that our policies are followed and medical record information is not removed from UAMS, and that when an employee is terminated from UAMS, they do not retain medical record information.
This is UAMS’s second reported breach this year. In April, they revealed that 7,000 patients were being notified after data that was to be analyzed for billing charges had not been properly de-identified.