HospitalInspections.org

Bringing transparency to federal inspections

SOUTHERN MAINE HEALTH CARE

1 MEDICAL CENTER DRIVE

BIDDEFORD, ME 04005

PATIENT RIGHTS: CONFIDENTIALITY OF RECORDS

Tag No.: A0147

Based on observations, record reviews, and interviews, the hospital failed to ensure patient's clinical records were kept confidential on the Emergency Department Overflow Area.

Finding:

The hospital's "Information Systems Access Management" policy, approved 5/25/21, stated, "...b) When using a shared workstation, a user must log out or, at a minimum, lock their application access when stepping away from the shared workstation to prevent other user's from accessing their session...." "Workstation and Application Level Inactivity Timeout Settings Table" (Table B) indicated workstations must provide "Screen Obfuscate" at the 10 minute mark and the workstation must automatically lock by the 15 minute mark with exceptions in place to the above standards where there is a critical clinical, operational, or technical need for such exceptions and appropriate compensating controls are in place which limit the risk of workstation session exposure.

The hospital's "Compliance & Ethics, Patient Rights, & Patient Care & Protection" training, states "Only authorized employees should have access to areas where medical records are stored".

On 7/27/2021 at 10:30 AM, observations of the Emergency Department Overflow Area identified three of three computer terminals at the nursing station unattended, without a barrier to access, unlocked and open to continuous view. On observation the EHR ("Electronic Health Record") of multiple patients' information was currently displayed. The unsecured EHRs were noted to have patient's names, diagnosis and patient health information displayed. The EHR display monitors were clearly visible and accessible to anyone passing by in the hallway area behind the computer desk.

On 7/27/2021 at 1:40 PM, the Interim Infection Preventionist, stated the time-outs for the three nursing station computer terminals is 15 minutes or dependent on the staff role. She confirmed the two employees working at the Overflow Area were not present at the nursing station, and confirmed the EHR information was observed by the surveyor.