NEWPORT, R.I. (WPRI) – A stack of paperwork from Newport Hospital was left outside the facility where anyone could have seen it, according to an email the Target 12 investigators obtained in an tip.
The email, which was sent by a manager to employees at Newport Hospital in May says, “an employee brought me a stack of paperwork she found in the parking lot.”
According to the email, the paperwork included control sheets, ID bands, worksheets and demographic sheets.
“We are fortunate that an employee found them,” the email reads. “This could easily have wound up in the wrong hands or on the news.”
“Please do not leave the facility with PHI [Protected Health Information],” the manager added.
David Levesque, a spokesperson for Lifespan, told Target 12 in an email, “Newport Hospital investigated the issue back in May.”
“There was no PHI [Protected Health Information] breach,” he said.
Sonja Deyoe, a Providence attorney with expertise in privacy laws and protected health information, questions the hospital’s conclusion.
“How could they know?” she asked. “I think the first concern is that anybody obviously could have gotten into that stack of paperwork. The second concern I have is did someone have their information taken by an outside source?”
“We don’t know if all the records were retrieved,” Deyoe added. “There are a lot of what-ifs, and for that reason it’s very concerning to me. If somebody is looking at your health care information and you don’t know about it, you don’t know how that might impact you.”
State and federal law protect patient information. If it’s breached, the laws require disclosure.
Lifespan said because its investigation determined there was no breach of Protected Health Information, there was no reason to report the incident to patients, the state, or the feds.
Levesque also said there’s an error in the email, and that the employee who sent it did not have all the facts when the email was sent. When Target 12 asked what the error is, Levesque refused to say.
Lifespan’s response to Target 12’s questions about whether the incident prompted any policy changes or disciplinary actions:
The hospital’s internal review determined that there was not a reportable breach of PHI. As such, there was no need to change the hospital’s comprehensive policies involving securing PHI. As stated previously, the email cited contained a conclusion that was later determined to be incorrect. While we will not discuss personnel matters, we have responded appropriately in accordance with our policies and procedures.