HospitalInspections.org

Based on staff interview and record review, the hospital failed to develop an active surveillance process for assuring confidentiality and privacy of private health information for (2) electronic medical records (EMR). Patients # 1 & 2. Findings include:

Per staff interview on December 26, 2013 at 11:10 AM the Chief Compliance Officer confirmed that two hospital patient records had been breached. The first breach , # 1 occurred on August 8, 2013, and the second breach, # 2 occurred on October 29, 2013.
Record # 1 was discovered as a breach upon the request of a treating cliniician to have an audit conducted based on health information contained in the EMR that was disclosed to him/her by an unauthorized employee-user. The audit confirmed the unauthorized user had breached the medical record on several occasions. The unauthorized user subsequently elected to take an early retirement.
Record # 2 was discovered to have been breached when the patient requested to have an audit completed based upon suspicion that an unauthorized employee had gained access into his/her EMR. The audit confirmed that an employee gained access into the patient's EMR without authorization as indicated in facility policy. The unauthorized employee was then terminated from employment.
The facility administration has an established Information Security Management Team (ISMT) consisting of multidisciplinary membership. To date, as of December 26, 2013 the ISMT has not developed or implemented an auditing system that protects the confidentiality of patient medical records. Both discovered breaches were brought forward by employee suspicion and not through an active alert-identification process facilitated via ongoing or random auditing. The Chief Compliance Officer confirmed on December 26, 2013 at 3:00 PM that there is not an ongoing or random audit program currently in place.