HospitalInspections.org

Based on interview and record review the hospital failed to ensure patient rights were maintained for 4 patients whose confidential electronic medical records were accessed
by an unauthorized individual. (Patients #1, 2, 3, 4 ) Findings include:

1. Per interview on 11/22/10, Patient #1 stated that due to his/her suspicion that an unauthorized person was accessing his/her medical record, a request was made to the hospital Privacy Officer on 6/10/10 to conduct an audit of the access history of a specific employee. An audit was completed and on 6/14/10. Patient #1 was informed there was a breach in their medical record by an unauthorized employee. A second request was made by the Patient #1 on 6/18/10 for the audit go back 10 years. This second audit confirmed the same individual conducted 106 unauthorized access over the past 10 years. A third search was requested by Patient #1 regarding other family members with the speculation there was further breaches of patient rights to confidentiality of their medical records. Patient #2's medical record was accessed without authorization from 8/08/07 through 12/23/08 7 times; Patient #3 from 8/8/07 through 3/12/08 9 times and Patient #4 from 8/07/07 through 8/9/07 3 times.

The hospital's policy Confidentiality Compliance Audit (last revised 6/24/10) states if any unauthorized access is suspected the manager/supervisor of the employee whose medical record access is being audited, would be required to complete an event report. An investigation would be conducted by the Privacy Committee to include the Privacy Officer, Human Resources and the Administrative Director of Healthcare Services Assessment. Per interview on 11/23/10 at 12:15 PM the Privacy Officer confirmed in June/09 the former supervisor for the individual who committed the breach in confidentiality failed to identify in the random audit report obvious breaches to Patient #'1's electronic medical record. As a result, unauthorized access continued by the former employee until 5/13/10. The Privacy Officer confirmed "It slipped through the cracks" which subsequently resulted in the breach of patient rights by not consistently ensuring privacy of each patient's electronic medical record.

Based on interview and record review, the hospital failed to ensure the Quality Assessment and Performance Improvement (QAPI) program assessed processes of hospital services and operations pertaining to the breach of confidentiality of 4 patient's medical records.
( Patients #1, 2, 3, 4) Findings include:

1. Per interview on 11/22/10 at 11:45 AM the Privacy Officer/Health Information Administrator confirmed the electronic health records of a patient and the patient's children had been breached by a former employee multiple times over a 10 year period. Per review of the audit report, generated upon request by Patient #1 on 6/10/10 when h/she became suspicious of the breach, the Information Services Department (IS) confirmed from 10/18/1998 through 5/13/10 Patient #1's Meditech electronic record was accessed 106 times by the unauthorized individual. Patient #2's medical record was accessed without authorization from 8/08/07 through 12/23/08 7 times; Patient #3 from 8/8/07 through 3/12/08 9 times and Patient #4 from 8/07/07 through 8/9/07 3 times.

The hospital's policy Confidentiality Compliance Audit (last revised 6/24/10) states if any unauthorized access is suspected the manager/supervisor of the employee whose medical record access is being audited, would be required to complete an event report. An investigation would be conducted by the Privacy Committee to include the Privacy Officer, Human Resources and the Administrative Director of Healthcare Services Assessment. Per interview on 11/23/10 at 12:15 PM the Privacy Officer confirmed in June/09 the former supervisor for the individual who committed the breach in confidentiality failed to identify in the random audit report obvious breaches to Patient #'1's electronic medical record. As a result, unauthorized access continued by the former employee until 5/13/10. The Privacy Officer confirmed "It slipped through the cracks".

Although a committee was convened and met several times to review the events surrounding the unauthorized access of 4 patient records by the former hospital employee, the QAPI program members were not included or consulted until weeks after the adverse event had been reviewed and hospital processes had been evaluated with changes instituted. Per interview on 11/23/10 at 8:05 AM the Director of the QAPI program stated the breaches made in the confidential records of 4 patients who received care and services at the hospital would be triaged as a "..extremely significant" event. The event was indirectly brought to the attention of the Director of QAPI by the Patient Advocate after the Patient Advocate had a discussion with Patient #1 on 8/16/10. The Quality and Regulatory Compliance Specialist also confirmed during interview on 11/22/10 at 3:30 PM h/she had not been made aware of the event until approximately 1 month ago when they were reviewing documentation regarding the medical record breach. Per interview on 11/23/10 at 8:30 AM the Administrative Director of Healthcare Services Assessment stated "I just don't know what Quality would have contributed to the meetings".

Based on record review and staff interview the hospital failed to ensure that an unauthorized individual was prevented from gaining access to patient records for 4 applicable patients. (Patient #1, 2, 3, 4 ) Findings include:

1. Although the hospital had established an auditing system that addressed protecting the confidentiality of patient records, the system was ineffective in identifying breaches in unauthorized access of patient records. Per interview on 11/23/10 at 12:15 PM the Privacy Officer/Health Information Administrator confirmed confidentiality compliance audits are done each month with the assistance of the Information Services Department (IS) who generate a randomly selected list of 30 hospital corporation employees who have access to the Meditech electronic medical records. The reports are then assigned to each audited employee's manager/supervisor for review of access history to identify possible misuse. The Privacy Officer confirmed in June/09 an audit was conducted of an employee who repeatedly gained unauthorized access of electronic medical records of 4 patients. The manager/supervisor of this former employee failed to identify the breaches and complete the "Event Report" as per hospital policy which would then initiate a review of the misuse and appropriate corrective action taken. The Privacy Officer stated it was unclear why the manager/supervisor had not followed the standard cover memo attached to the audit report revived in June/09. Presently the process does not include any additional oversight to ensure all managers/supervisors responsible for reviewing the random compliance audit of employees were proficient in the process and accurate with their review to ensure misuse was not evident.

Per interview on 11/22/10 at 11:45 AM the Privacy Officer/Health Information Administrator confirmed the electronic health records of a patient and the patient's children had been breached by the former employee multiple times over a 10 year period which was partially reflected in the audit report generated in June/09. It was not until Patient #1 on 6/10/10 requested the Privacy Officer to conduct a compliance audit of the former employee, after the patient became suspicious of a possible breach in confidentiality of their electronic medical record. Per interview on 11/22/10 at 11:45 AM the Privacy Officer/Health Information Administrator confirmed the electronic health records of Patient #1 and the patient's children had been breached by this specific former employee multiple times over a 10 year period. The unauthorized access of Patient #1's electronic medical record began 10/18/1998 through 5/13/10 for a total of 106 times by the former employee. In addition, after Patient #1 requested a second audit, it was revealed Patient #2's medical record was accessed without authorization from 8/08/07 through 12/23/08 7 times; Patient #3 from 8/8/07 through 3/12/08 9 times and Patient #4 from 8/07/07 through 8/9/07 3 times by the same former employee.