UMC officials did not know who had keys to the bins, nor how many had been issued, according to a state Health Division report. Inspectors found four instances where people had been issued multiple keys without an explanation.
"In other words, there was no way to tell whether the additional keys were replacing lost or stolen keys or were simply a second set for those individuals, or passed on to someone else," the report said.
UMC will need to appeal the report or provide a plan to address the violation. The hospital faces a fine of up to $400, a state official said.
Protecting patient privacy has been at the forefront of hospital operations nationwide since Congress passed the Health Insurance Portability and Accountability Act of 1996. Violations of HIPAA, as the act is known, can be investigated by the county district attorney, the state attorney general's office or the U.S. attorney's office. A person who violates a patient's privacy with the intent to sell information can be fined up to $250,000 and imprisoned for up to 10 years.
HIPAA requires hospitals to make "reasonable efforts" to protect patient data, Brannman said, and leaves specific methods open to interpretation. He said UMC was doing everything necessary to abide by HIPAA by keeping the bins inside locked rooms or in locations that were in the open and visible to others at all times. UMC's precautions make it inconvenient if someone wanted to go "Dumpster diving" in the bins for patient information, he said.
As for the state report, Brannman dismissed the inspector's notes as "anecdotal" and "that inspector's opinion."
... Brannman said he has 10 days to respond to the state's report and it may be disputed.
Clark County Commissioner Steve Sisolak suggests that the hospital reduce the number of recycling boxes and install a shredder over each one, so the records are destroyed immediately.