HospitalInspections.org

Based on interview and record review, the facility's Governing Board failed to ensure adequate oversight of patient medical records as related to the security of 176 patient's Protected Health Information (PHI-any information in a paper or electronic medical record that can be used to identify an individual, for example, demographic information, and information used in providing health care to include diagnoses, care and treatment of a patient) removed from the facility.

This had the potential to affect all patients in the hospital. The facility census was 222.

The severity and cumulative effect of these systemic practices resulted in the facility being out of compliance with the CoP of Governing Body.

Based on interview, and policy review, the Governing Body failed to ensure the Chief Executive Officer (CEO) was responsible for management of the entire facility including accountability for the effective oversight of the staff to comply with the requirements under the Conditions of Participation for Medical Records and the Governing Body. These failures had the potential to affect the confidentiality for all patients that were provided care by staff with the authorization to take medical records off-site. The facility census was 222.

Findings included:

1. Record review of the facility's "Bylaws," dated 2018, showed that the Chief Executive Officer (CEO) was responsible for the duties of supervision of staff, management, direction, activities and interests of the facility.

Record review of the facility's policy titled, "Physical Removal and Transport of Protected Health Information and Medical Records Standards," showed that when there was a breach (loss of medical records) outside of the facility, staff were to respond by reporting the breach immediately to the:
- Privacy Officer and Healthcare Information Management (HIM) Director;
- File a Police report; and
- File a facility security report.

During an interview on 06/11/18 at 3:20 PM, Staff A, Privacy Officer, notified by Staff C, Manager of the Heart Failure and Transplant Department, that on 04/09/18, Staff B, Heart Failure and Heart Transplant Nurse Coordinator, took a locked binder with 176 patient spreadsheets (Protected Health Information, PHI) and placed them in the front of her car. In the morning, the car had been broken into and the locked binder had been stolen. Staff B did not work again until 04/11/18 and at that time she notified her and contacted the local police department. She stated that only that department had been retrained and set up on an electronic remote access program called "One Drive." She also stated that there were several other areas (Surgery, Physicians, Social workers and Research Coordinators) of the hospital that were authorized to remove PHI from the facility.

During an interview on 06/12/18 at 1:30 PM, Staff CC, Senior Director of Social Work, stated that her staff currently used lock boxes to remove PHI from the facility, and she was unaware of the recent breach. She also stated that there had been no recent education other than the annual in 2017.

During an interview on 06/12/18 at 1:42 PM, Staff DD, Physician, Chief of Ear, Nose and Throat, stated that sometimes there was only a paper chart and they were unable to gain access to a patient's record electronically, therefore they had to remove PHI from the facility.

During an interview on 06/12/18 at 2:25 PM, Staff EE, Director of Clinical Research and Support, stated that all of her staff took PHI home in lock boxes and that on 06/11/18 they received information regarding training on the electronic program "One Drive," on the removal of PHI from the facility.
The incident took place on 04/09/18 and there had been no training in the other areas of the hospital that remove PHI from the facility.

During an interview on 06/12/18 at 11:12 AM, Staff Q, Vice President of Audit and Compliance (Staff A, Privacy Officer's direct Supervisor) stated that the incident was reported on 04/11/18 and there had been no changes and that all staff had the "One Drive" program available, but they have not been educated on this program. She also stated that the HIM Director was not notified and there was no security report filed.

Review of the summary of communication regarding the breached event, dated 06/12/18, showed:
- 04/18/18, communication with Senior leadership;
- 04/27/18, communication with Administrative Council;
- 05/02/18, communication with Board of Directors;
- 05/24/18, communication with Board Audit and Compliance committee;
- 05/31/18, communication with Administrative council;
- 06/01/18, communication with Administrative council; and
- 06/04/18, communication with Board Risk Management committee.

Even though requested, the facility failed to provide minutes of the communication regarding the breach event.

During an interview on 06/12/18 at 3:35 PM, Staff FF, CEO, stated that he was made aware of the breach on 04/18/18 by his legal counsel. The governing body had met several times to discuss the 04/09/18 breach, but as of 06/12/18 had not implemented a plan to prevent another breach occurance. He stated that he expected his staff to reeducate all areas of the hospital that removed PHI from the facility and to follow policy.

The breach of PHI of 176 patients compromised their privacy and posed a significant risk of financial, reputational and emotional harm to these patients.

Based on observation, interview, and policy review, the facility failed to protect 176 patients' protected health information (PHI-any information in a paper or electronic medical record that can be used to identify an individual, for example, demographic information, and information used in providing health care to include diagnoses, care and treatment of a patient) when staff removed patients' PHI from the facility, left unattended, that resulted in unauthorized access of PHI by unknown person without the individuals written permission or allowed by law. The facility also failed to protect 25 patients' PHI, in the Ground Level Security sign-in post, when staff left a census list out on a counter where unauthorized access could occur.
These failed practices by the facility placed all patients' PHI at risk for unauthorized access. The facility census was 222.

The cumulative effects of these systemic practices resulted in the facility's inability to ensure the safety and confidentiality of all patients medical records/PHI and resulted in the facility being out of compliance with 42 CFR 482.24 Conditions of Participation: Medical Record Services.

Refer to the 2567 for additional information.

Based on observation, interview, and policy review, the facility failed to protect 176 patients' protected health information (PHI) when staff removed patients' PHI from the facility, left unattended, that resulted in unauthorized access of PHI by unknown person without the individuals written permission or allowed by law. The facility also failed to protect 25 patients' PHI, in the Ground Level Security sign-in post, when staff left a census list out on a counter where unauthorized access could occur.
These failed practices by the facility placed all patients' PHI at risk for unauthorized access. The facility census was 222.

Findings included:

1. Review of the facility's policy titled, "Physical Removal and Transport of Protected Health Information and Medical Records Standards," revised 12/2016, showed directives for staff to maintain safeguard of PHI:
-The purpose of this policy is to ensure appropriate safeguards against the loss, theft, and unauthorized access, use, disclosure, alteration or destruction of PHI in paper form or stored in electronic form by providing basic requirement for the physical removal or transport of such information from or within our institutions;
- Workforce members who must physically transport PHI in any form off-site follow precautions included that records must be transported in a secured hard sided locked box/container, and the hard sided locked box/container must never be in plain sight or in a vehicle overnight, even if garaged;
- PHI is any individually identifiable health information in any form including data elements specific to an individual from which the individual can be identified; and
- PHI includes media such as medical records, test results, emails, correspondence, notes, work sheets, assignment sheets, any paper document that contains PHI, etc.

Review of the facility's annual mandatory education titled, "Privacy & Confidentiality," dated 2018, showed directives for staff to protect patient privacy rights:
- Confidential information was defined as any information or materials that relates to patients;
- Privacy was defined as the right of the individual or patient to make decisions on how personal information was shared, private information should not be released without the individual's written permission or allowed by law;
- Security was defined as protection, specifically to the means used to protect PHI and holding that information in confidence;
- PHI must be in a hard sided locked container;
- PHI must be in trunk of vehicle or out of site during transport; and
- Transporting PHI from the facility must not be left in a vehicle at any time, even if it was garaged, (you must keep the PHI with your person if you make any stops during transport. You are ultimately responsible for the safety and security of this information while in your possession.)

During an interview on 06/11/18 at 3:45 PM, Staff B, Heart Failure and Heart Transplant Nurse Coordinator, stated that:
- She took a locked binder with 176 patient spreadsheets to her home and placed it in the front passenger seat of her car.
- On the AM of 04/10/18 she realized her car had been broken into and the PHI had been stolen the night of 04/09/18.
- She reported it to her supervisor (Staff C) and emailed Staff A, Privacy officer on the morning of 04/11/18 when she returned to work.
- She notified the local police department at 5:30 PM when she returned home to file a report.
Staff B left the PHI unattended, not in a locked box and placed it in the front of the car which was not appropriate per the facility's policy.

During an interview on 06/12/18 at 11:12 AM, Staff Q, Vice President of Audit and Compliance, stated that Staff B should have kept the PHI on her person and shouldn't have left it in her vehicle.

Review of the facility's annual mandatory education titled, "HIPAA & Privacy," dated 2017, showed directives for items to protect patient privacy rights to include patients' identifiable information such as patient's arm bands, patient lists, labels, ect.

2. Review of the undated security department training manual showed directives for staff to protect patient privacy rights at sign-in post:
- It was always important to keep patient's confidentiality a high priority;
- Security should never give out more information than the person needs to know; and
- Visitors will not be allowed around the view of any information at any time.

Observation on 06/11/18 at approximately 2:10 PM, in the Ground Level Security sign-in post (area designated for identifying visitors), showed a document titled "Security Alpha Census List-HIPPA" on the counter, viewable to visitors and the surveyors. The document contained 11 stapled pages, which the top page contained 25 patients' PHI that included:
- Patient Name;
- Age;
- Location;
- Room/bed number;
- Phone extension; and
- Admission date.

During an interview on 06/11/18 at 2:55 PM, Staff U, Security Officer, stated that:
- He had left the security alpha census list viewable on the counter;
- From 2:00 PM through 3:00 PM, there had been 46 visitor sign in that had the potential to have unauthorized access to patients' PHI from the census list;
- He had education on security and protection of patients' PHI; and
- He should not have left the security alpha census list viewable on the counter.

During an interview on 06/11/18 at 3:05 PM, Staff V, Security Assistant Director, stated that the census list at security sign-in post should be covered or in a binder and not visible to public view.

During an interview on 06/12/18 at 10:25 AM, Staff A, Privacy Officer, stated that the security alpha census list was considered PHI, and should not be visible to public view.















36473