The state Department of Public Health failed to protect the confidential health information of patients during the COVID-19 pandemic, according to a report released Wednesday by state auditors.
The report reviewed the fiscal years ended June 30, 2022 and 2023, and cited “internal control deficiencies; instances of noncompliance with laws, regulations, or policies; and a need for improvement in practices and procedures that warrant management’s attention.”
Among the findings, auditors said DPH contracted with a healthcare staffing company in August of 2020 to help with contact tracing, which was used to help prevent the spread of the virus.
DPH “did not effectively monitor or enforce contractor compliance with its confidential and protected health information policy,” the audit states. That resulted in the department not being aware that the contractor used “unapproved communication methods” that were not detected during the contract period.
Auditors said they found and reviewed over 100 voicemails that revealed the contractor used personal email accounts to distribute information about callers to the department who were exposed to or tested positive for COVID-19.
Auditors said DPH should strengthen its internal controls “to effectively monitor contractor compliance with department policy” to safeguard confidential and protected health information.
In a response included in the report, DPH said it “agrees with this finding,” and that it will have staff members “periodically review” contractor work for compliance.
Contractors who do not comply with DPH policies “will receive training and instruction on how to comply. Further noncompliance will result in the loss of the contract,” the agency said.
Asked for additional comment Thursday, agency spokesperson Brittany Schaefer responded that, “We stand by our agency response comments in the report.”
The audit also found that:
- DPH did not update and maintain information in the Core-CT Asset Management module for several years. It also failed to properly document asset disposals, locate missing assets, perform complete physical inventories, and capitalize certain expenditures.
- For the Core-CT compensatory time plan, 550 DPH employees were enrolled, but 54 were enrolled in a plan that did not agree with provisions in their union contract. The audit also found that, of 37 employees separated from DPH during the audit period, the
- Core-CT accounts for 17 of those employees were not disabled immediately, taking between 10 and 39 months to close.
- DPH could not provide 22 of 29 statutorily required reports or evidence of their submission or posting to its website.
- DPH failed to provide support for overtime eligibility for 10 exempt employees who earned 89 hours of overtime totaling $5,323.
The report recommends DPH strengthen its internal controls and implement effective monitoring procedures to address these issues.
