Incident Overview

On May 24, 2011, a medical resident initiated a report of one potential child pornography image based on review of three images on a USB thumb drive attached to a computer in a lounge for medical residents in the hospital.  The initiation of the report included contact with faculty physicians for assistance and a request for direction from the Health System Compliance Office.  The Health System Compliance Office referred the concern to Hospitals and Health Centers’ Security Services and the Health System Legal Office on May 25, 2011.

Attorneys in the Health System Legal Office investigated whether there was evidence of criminal activity that should be reported to law enforcement.  The lead attorney, a recent hire, had significant experience investigating and prosecuting health care professionals.  She asserted control of the investigation, sought the acquisition of evidence from the computer in question, and interviewed the resident who reported that she may have seen evidence of child pornography.  The lead attorney determined that there was not enough evidence to take the report to police and reported her conclusion to the Health System Legal Office, the Health System Compliance Office, and to the reporting resident.  She closed her investigation in the first week of June 2011 and left the University soon thereafter for reasons unrelated to this incident.

At the time, those who were aware of the concern and investigation deferred to the lead attorney because of her expertise and assertion of control over the review, with the (mistaken) belief that the investigation was proper.  In November 2011, the matter was raised again by concerned physicians in the wake of the Penn State incident, this time with the Office of Clinical Affairs, the department charged with ensuring every physician’s competence to deliver safe patient care.  Upon a second review, sufficient evidence was discovered that led to the termination and arrest of a suspect in the case.

Upon learning of the gap in reporting, President Coleman immediately ordered a review of the incident by University Audits to determine reasons and root causes for delayed reporting.

As a result of that review, it has been determined that the initial investigation was insufficient and improper:

1. The resident who reported the crime described the lead attorney who interviewed her as intimidating and threatening, causing distress and a feeling that she should not have come forward with the report.
2. The lead attorney’s assertion of control over the investigation caused others in the Health System to cease their investigatory efforts, awaiting direction from Health System Legal Office.
3. The review of the computer by Health System personnel was insufficient and would have been enhanced if law enforcement had been involved to lead the investigation.

Beyond the role played by the attorney who is no longer with the University, management is concerned with the missed opportunity to appropriately report by others who were aware of the allegations in May, including:

1. The failure to report the potential crime to DPS and, instead, the decision to engage in an investigation through the legal office;
2. The decision to rely on the opinion of one attorney about the sufficiency of the evidence to determine whether or not a report would be made to DPS; and
3. The failure to recognize that in light of the possible risk to patient safety a report should be filed with the Office of Clinical Affairs or the Health System Risk Management Office to explore what protections might need to be put in place, even in the absence of a criminal investigation.

University management accepts responsibility for the delay in reporting the crime, an unacceptable handling of the reporting and necessary investigation of the concern regarding child pornography.  We conclude that the assertion of improper control of the investigation by the attorney and reliance on her conclusions by others were the root cause for the delay and improper handling of the initial report.  The case should have been forwarded to the Department of Public Safety in May.

Individual corrective action will be taken with the involved current employees to ensure greater clarity of their respective roles and the importance of vigilance when handling complaints of possible criminal activity or risk to patient safety.  This corrective action will be documented in the employees’ personnel files and those employees will be held accountable for improvement through the established performance review process.

To help determine how the specific circumstances arose that led others to rely on the conclusions of the lead attorney in this case, University Audits reviewed the particulars of this matter, as well as the overall status of safety and security operations at the University.  During the course of review by University Audits, a number of observations were made involving the identification, reporting and handling of security and criminal investigations across the organization.

University management acknowledges the history of difficulties between DPS and Hospitals and Health Centers Security (HHC-Security).  We accept the findings by University Audits that tensions between the two organizations contributed to the failure to report allegations of child pornography in May.  We are determined to resolve these differences and create a positive safety and security culture across campus.

University Audits made a number of important recommendations to address the specifics of the incident in question as well as the systematic problems that contributed to it.  Management accepts the recommendations and is committed to pursue the recommendations with strengthened policies, procedures, and training to prevent future lapses in protecting the safety and security of the patients we serve and the entire campus community.

Though not involved in this incident in any way, we believe it is important that Housing Security participate in our comprehensive efforts to ensure the development and implementation of a shared security vision campus-wide.  The recommendations outlined below, therefore include Housing Security.

Specifically, Health System and Central Campus managers and staff will work together to develop an integrated response, reflecting the collaboration and interactions required to implement positive and sustainable changes in policies, practices, orientation, training, and culture.  Some of the recommendations outlined in the audit report and this management plan are established or works in progress.  Other recommendations will be pursued for timely implementation as summarized below.

Recommendation:  Develop an extensive set of common guidelines and protocols for reporting security incidents throughout the University.  The protocols need to be actionable and should establish clear communication and procedures for hand-off of cases between University safety and security organizations.  These practices can be in the form of checklists, online training, decision trees, and formal policies and procedures.

Management Response:  Leadership in the following departments and offices will work collaboratively to develop recommendations for common guidelines regarding suspected criminal activity: Office of General Counsel, Health System Compliance Office, Health System Risk Management, Hospitals and Health Centers Security (HHC-Security), Housing Security, DPS, and others as appropriate.

It will be made clear that, pursuant to these guidelines, suspected criminal activity is to be reported to the Department of Public Safety for investigation.  An action plan consisting of draft policies, procedures, and other material with timelines needed to implement this recommendation will be written within 90 days.

Recommendation:  Raise awareness of the patient, employee, and student privacy rules.  Law enforcement and security officers should receive regular HIPAA and FERPA training to raise awareness and sensitivity to privacy.  Commonly understood definitions are needed for when and under what circumstances protected information should be shared with security and law enforcement agencies.  A streamlined process is needed when there is suspected criminal activity to ensure relevant protected information is shared with law enforcement through means that are legally appropriate.

Management Response:  It is essential that all safety and security personnel have broad understanding of the laws that govern access to student and patient records.  While we have no doubt that there are key staff members in all of our safety and security offices with deep understanding of HIPAA and FERPA, we are committed to broadening this knowledge.  The Office of the General Counsel has the lead to develop the training plan, with support from HHC-Security, Housing Security, DPS, Human Resources, and the Health System Compliance Office.  The plan will be developed, including a schedule for implementation within 90 days.

Recommendation:  Foster better understanding and sensitivity of duty to report requirements.  Develop legal guidance and training to help responders navigate the complexities and grey areas of reporting suspected criminal activity.

Management Response:  Management will issue a memo to deans, department heads, and directors as a reminder of the importance and obligation of the duty to report suspected criminal activity in accordance with relevant law.  This memo will be issued by February 20, 2012.

We will prepare a plan to provide all safety and security personnel a working understanding of the potential conflicts in the “duty to report” requirements and privacy requirements under various laws, such as those governing health care, education, victim and whistleblower protection, and the Clery Act and how those sometimes conflicting requirements should be balanced in the health care and campus environment.

A specific training program will be developed by OGC with support from Human Resources, within 90 days, with training to be initiated no later than 120 days.  Refresher training will be offered on an annual basis.

Recommendation:  Review the use of 911 triage and dispatch.  DPS and HHC-Security should have formalized dispatch procedures for the operation of the facility control center.  Security officer responders should clearly identify themselves as security and not law enforcement.

Management Response:  Health System and Central Campus leadership are committed to review 911 public safety answering points (PSAP) requirements and standard operating procedures to ensure the response to every 911 call is held to the highest standards of effectiveness, coordination, and efficiency.  This review will be initiated by March 1, 2012.

Recommendations:  Create a shared communication system that facilitates accountability and cooperation. Both HHC-Security and Housing Security need to be aware of crimes that have occurred in nearby areas of their responsibilities.  Shared reporting mechanisms should be seamless, designed to share University-wide safety and security information, and facilitate communication protocols and decision processes.

Management Response:  DPS, HHC-Security, and Housing Security management recently met to discuss the impact of CLEMIS on information sharing and to develop a process for HHC-Security and Housing Security to access safety and security information that meets criminal justice information requirements.  Both HHC-Security and Housing Security need to be aware of crimes that have occurred in nearby areas of their responsibilities.  Shared reporting mechanisms should be seamless and designed to share University-wide safety and security information, and facilitate communication protocols and decision processes.

The first phase of providing access to the DPS Security Center was implemented on February 3, 2012.

Recommendation:  Formally debrief on major security incidents.  Develop a process that gathers all groups involved in a case to discuss what worked well and what could have been done better.  Learn from the experience so that positive actions are reinforced and the things that did not work to the satisfaction of everyone involved are discussed and resolved so that the process will be improved the next time there is a similar incident.

Management Response:  Existing debrief processes are currently utilized in the University, including in the U-M Office of Emergency Planning and at the Health System through its Office of Clinical Affairs, following significant or “adverse” events.

These processes will be utilized on a more routine basis after major security incidents occur, to ensure an opportunity for “lessons learned” sessions.  Part of this process will be to determine what worked well and to identify opportunities for improvement in a problem-solving and non-blaming atmosphere.  Immediately, these sessions will occur after major security incidents and, in the future, the sessions will be based on procedures developed as a result of this management response.

Recommendation:  Develop ongoing team-building training programs. Develop a comprehensive training program that builds knowledge and understanding of process from all perspectives, and builds a collaborative team effort for addressing many types of issues.  Training can assist all parties understand the reasons for perspectives and regulations that impact the prescribed protocols, actions, and philosophies of others involved in a particular chain of response.  Training should encompass the viewpoints of all parties and be attended by a cross-section of safety and security organizations.

Management Response:  We are committed to develop an active training program to ensure knowledge and understanding as central to a team-building effort between and across all safety and security units.  This training will be integrated with other training efforts described earlier,  developed in consultation with the Office of the General Counsel, Health System Compliance Office, Human Resources, DPS, HHC-Security, Housing Security and other units as necessary.  This training program will be developed within 90 days and initiated within 120 days.  The leadership of the security units will be responsible to provide orientation and refresher team training on a regular basis (at least twice per year).

Recommendations:

• Review the reporting lines and communication structure of police and security units.  Benchmark with other universities to provide examples of effective safety and security models.  Consider the optimal structure given the complexities of our University for ensuring public safety and security.
• Consider a DPS liaison office within the Health System.  There is no consistent DPS presence within the hospital.  DPS officers are only interacting with hospital faculty and staff when there is a criminal investigation or an emergent situation.  This contributes to tense working relationships and miscommunication.
• Develop cross-functional teams.  Safety and security teams should be defined by incident type, and will ensure that the right skill sets are matched to respond to the particular issue.  Teams should meet regularly in non-crisis mode to further develop understanding and trust.

Management Response:  We are committed to exploring best practices and to determine if alternative approaches might yield benefit to the University.  We will benchmark against peer institutions to review police and security reporting lines and organizational structures, with a benchmarking report completed within six months.

Regarding the liaison idea, we will expand options to enhance visibility of DPS officers in the patient care environment, including routine orientation, training, and unit visits.  Our goals include improved communication, collaboration, and outreach.  We will include the liaison office or officer concept among the options available to meet these goals.

The leaders of HHC-Security and DPS will provide an action plan to enhance ongoing DPS presence within 90 days.

Recommendation:  The culture must change.  Define a plan to enhance team culture.  Engage an outside expert to work with the leaders of the various security units and related areas to examine cultural issues that limit achievement of the common goals of the various units.  This could be accomplished through a series of facilitated offsite meetings that bring the various parties together with a single vision.  Without a cultural shift there will continue to be breakdowns in the effectiveness of the organization as a whole.

Management Response:  We believe that creating a culture of mutual respect and understanding is essential to creating a safe and welcoming environment for all.  We will develop an approach to measure the culture and identify ways to enable an improved sense of collaboration and teamwork between and across our safety and security units.

Management accepts the recommendation to bring in external expertise for a full assessment of the working relationship and operational issues with HHC-Security, DPS, and the units with whom they interact regularly, in order to address significant cultural and management issues that have arisen in the course of this internal review.

The University’s Associate Vice President for Human Resources, the Health System’s Chief Human Resources Officer, and the Associate Vice President for Student Affairs have accepted lead roles to retain one or more outside experts who will assess our safety and security culture and help us achieve needed change.  The outside expert(s) will be brought on board by April 1, 2012 and an implementation plan and schedule will be developed within the following 60 days.

Ora H. Pescovitz, M.D.
Vice President for Medical Affairs

Timothy P. Slottow
Vice President and Chief Financial Officer

Suellyn Scarnecchia
Vice President and General Counsel

Back to New Division of Public Safety and Security