HospitalInspections.org

Based on observation, staff interviews and documentation it was determined the facility failed to protect the patient's right to have their personal, private and medical information remain confidential.

The findings include:

On 09/09/2015 at approximately 8:55 A.M., infection control observations were conducted within the patient care areas on Medical Surgical Unit (MSU). The surveyor unintentionally hit a bedside table with an unoccupied Workstation on Wheels (WOW) sitting in the hallway outside of the patients' rooms near Room 213. The surveyor noted the WOW screen was no longer active in the screen saver mode and showed many different icons. The computer screen did not display a secure login. When a minimized icon tab was clicked, confidential patient information was visible and accessible. Staff #8 was present with the surveyor during this observation.

Note: Workstations on Wheels (WOWs) or Computers on Wheels allow a nurse or clinician to have real-time access to patient information in a convenient and mobile platform, while also providing a work surface and optional storage drawers that enable them to make fewer trips back and forth to the nursing station. Physicians, on the other hand, need convenient access to patient information and the ability to respond to that information quickly. Workstations on Wheels enable clinicians to access data at the time care is provided to the patient per information from www.healthcarecart.com/workstationsonwheels.html

Staff #8 was interviewed regarding the protection of patient confidential information and if the WOW had a time out or login protection set for security purposes. Staff #8 stated, "I believe they are suppose to lock after 30 seconds if [there is] no activity." The surveyor and Staff #8 waited approximately eight (8) minutes at the WOW to observe if an employee would return to the WOW. The WOW indicated an employee was still actively logged into the facility data system. After eight (8) minutes of observation and no activity on the WOW, no employee returned and confidential patient information for the patients on the MSU remained accessible. Staff #8 stated, "I will make a phone call to check on this."

During a second observation at approximately 9:30 A.M., Staff #22 left his/her WOW unattended in the hall outside of Room 208 to enter into the supply room. Staff #22 left the WOW unattended for approximately two (2) minutes. The surveyor and Staff #8 observed the WOW in screen saver mode but when touched, the screen saver mode disappeared and the icon for (name of computer program used to maintain patient confidential information) was minimized. The minimized tab and patient confidential information was accessible on the screen to view without entering any login information. The surveyor interviewed Staff #22 regarding the process for system security related to the WOWs. Staff #22 stated, "I think it will lock within 3 to 4 minutes with no activity. If we are going to be away from our computers, we are to minimize the tab and the screen saver will hide information during the computer inactivity." The surveyor asked Staff #22 did he/she have to login in and out of the WOW many times during his/her shift. Staff #22 stated, "No, we just have to make sure we minimize our work if we are going to be away from the computer at anytime."

On 09/09/2015 at approximately 9:45 A.M., Staff #8 reported the information he/she received from Staff #19 and from a cooperate IS Security Officer regarding the system security for the computers is as follows: "A screen saver is set for 60 seconds if no activity is detected and no password is needed to reenter the computer. The computer will lock after 15 minutes of no activity detected and a password will be needed to access the computer."

On 09/09/2015 a blank admission packet was provided and reviewed. Included in the contents of the packets, among other items, was a booklet titled "Patient Handbook." Upon review of the "Patient Handbook" and acknowledgment from Staff #1, it was noted patients are informed about their rights to confidentiality of protected health information on admission, as it is stated on page three (3), which reads as followed: "Right to Privacy and Confidentiality... You have the right to privacy regarding your medical care program, including case discussion, consultation, examination and treatment. All records pertaining to your care shall be treated as confidential and reviewed only by the individuals directly involved in your care. You have the right to access information contained in your medical record within a reasonable time."

On 09/09/2015 at approximately 3:45 P.M., an interview was conducted with Staff #1, Staff #17 and Staff #19 on the MSU at the nurse's station. Staff #17 stated the expectation of all MSU staff regarding accessing a WOW or computer at the nurse's station is if a staff member needs to leave the computer unattended for any reason they are to minimize the program he/she is working in and the screen saver will hide the information on the screen during inactivity. The staff do not need to lock the computer, just minimize the data so it is not visible on the screen. Staff #19 confirmed this is the expectation for the ICU (Intensive Care Unit) staff because the ICU staff are provided access to the same data system as MSU. Staff #19 verified that MSU and ICU staff can bring up the patients he/she have been assigned to for their shift and can keep minimizing this data or the staff can bring up any inpatient that have been admitted to the MSU or ICU. Staff #1 reported he/she wanted to clarify that different departments throughout the hospital have access to different software programs to document patient information.

Staff #1 acknowledged, staff are only given access to the data or software programs they will access; for example, a staff member may work on MSU that uses a data program but won't have access to the Emergency Department (ED) data because that department uses a different software program. Another example is a person may be a floater that is shared between hospitals in the same system and if they are granted access they can access data from either hospital, but it is being monitored just as regular and periodic internal system reviews and audits take place. Staff #1 stated, "It is my expectation and that we train the staff to always logout of the computer as the best practice and not minimize their work." The surveyor inquired if the hospital had problems where staff members were documenting or accessing patient information under another staff members user identification. Staff #19 reported that he/she was not aware of any problems; however an audit of the compliance system is in place including the notification of the director of the unit if an employee is not following the policy. The director will investigate the details and handle the appropriateness of the access and advise the IS Security Officer of their findings.

The findings related to protecting the patient's right to confidentiality of his or her clinical record were discussed with the Administrative Team on 09/09/2015 at 5:15 P.M. Staff #1 acknowledged that the facility failed to maintain the facility's system in the manner required by this regulation and their own approved and established procedure and it was not until it was brought to his/her attention by the surveyor this process failed to protect the confidentiality of the patient's private and medical information.

The agency's policies titled, "System Security Policy" and "Information System Computer Security Awareness" were reviewed on 09/10/2015. The policy titled, "System Security Policy" read in part, "Purpose: [Name of hospital system] is committed to implementing technical policies and procedures for electronic information systems that maintain electronic protected health information (EPHI) as well as other confidential information and to allow access only to those persons or software programs that have been granted access rights. Policy: The policies and procedures stated herein apply to all EPHI and other sensitive information maintained or transmitted by VH. A. Confidentiality 1. Because [initials of hospital system] has an obligation to protect patient privacy, all personnel of [initials of hospital system] are to maintain all information regarding a patient in strictest confidence. 2.. The computer system is to be used to gain access or enter data to a patient's record on a need to know basis. Any other use is strictly prohibited..... 3. As stated further in this policy sharing of logons and passwords is prohibited. 4. Screen Savers and Auto Logoff a. Screen savers must be used to hide information on the screen during computer inactivity. Passwords can be assigned by only when selecting the checkbox "on resume, display login screen" from the screen saver set-up screen. The system will then require the logged in user's network password to resume/unlock. b. Computers in common areas, which provide access to patient or other proprietary information, and are left unattended for any period of time must have a screen saver. The WMC Emergency Department is the only area that requires a locked screen upon start of screen saver. c. A screen saver set for 1 minute after inactivity must be applied to all computers that are used in unsecured areas. An unsecured area is defined as any area that has traffic of non-valley health employees occurring on a regular basis providing the possibility of exposure to confidential patient or business information. This exposure can be by viewing or unauthorized access to computer equipment. 5. To protect confidential records against unauthorized access, employees who leave their workstation area for any period of time are to "lock" the workstation by selecting "Lock this computer" from the Ctrl + Alt + Delete menu. C. User Identification e. A user may only use their own user ID to attempt to logon a workstation or the Valley Health Network. The use of another person's assigned User ID is a violation of policy and may lead to disciplinary action; up to and including, termination. 2. User Passwords e. Users must not share passwords/security codes with anyone. Each user will be held personally responsible for all actions performed using their password/security code." The policy titled "Information System Computer Security Awareness" read in part, "Policy: [initials of hospital system] is committed to providing ongoing information and training to its workforce members to promote appropriate and legal usage of computer software and hardware that contains electronic protected health information (EPHI) and other protected and/or proprietary information. 1. Each workforce member will receive computer security awareness training/information the following methods: a. During new hire orientation b. Yearly on Annual Mandatory Reviews c. Other communications or material distributed based on need."

Based on interview and document review it was determined:
1. Nursing staff failed to perform a discharge planning assessment/evaluation for one (1) of three (3) emergency department patients included in the survey sample (Patient #3) and

2. Case management staff failed to complete the discharge planning assessment/evaluation for one (1) of two (2) inpatients included in the survey sample (Patient #4).

The findings included:

1. Review of Patient #3's electronic medical record (EMR) was conducted on September 8, 2015 at 3:05 p.m., with Staff #5, Staff #6 and Staff #8. Patient #3's EMR indicated the patient had been admitted to the Emergency Department on September 8, 2015 at 00:01 a.m., related to "chest wall pain and anxiety." Patient #3 was discharged to home on September 8, 2015 at 4:33 a.m., in "stable" condition. Staff #6 reported that nursing staff utilized the "Mobility Screening," "Activities of Daily Living," and "Special Needs/Disabilities Questionnaire" within the initial nursing assessment to determine the patient's discharge needs. The review of Patient #3's initial nursing assessment revealed the "Mobility Screening," "Activities of Daily Living," and "Special Needs/Disabilities Questionnaire" sections had not been completed. Patient #3's EMR did not have documentation that a discharge assessment/evaluation was performed.

Staff #8 reported the facility's software system created discharge instructions for each patient related to the patient's diagnoses. Staff #8 reported the electronically signed discharge instructions documented the patient had received both discharge education and a copy of the discharge instructions. Review of Patient #3's EMR did not include signed discharge instructions. Staff #6 reported that nursing staff "occasionally printed two copies of the discharge instructions and the signed paper copy was scanned" into the patient's EMR by health information staff.

An interview was conducted on September 8, 2015 at 4:38 p.m., with Staff #1. Staff #1 reported the health information staff could not find discharge instructions signed by Patient #3. Staff #1 reported Patient #3 EMR did not have evidence the patient received his/her discharge instructions.

2. Review of Patient #4's electronic medical record (EMR) was conducted on September 9, 2015 at 7:11 a.m., with Staff #5 and Staff #8. Patient #4 came to the Emergency Department on September 1, 2015 related to shortness of breath. The initial nursing discharge assessment/evaluation and discharge needs documented a recommended need for occupational therapy (OT) and physical therapy (PT) relate to the patient's bilateral lower extremity weakness. The physician's medical screening examination diagnosed Patient #4 with "Sepsis" and a "urinary tract infection." Patient #4 was admitted to an inpatient unit on September 1, 2015. A physician progress note dated September 6, 2015 documented the plan to consult OT and PT. Review of Patient #4's EMR did not reveal an OT or PT consult or evaluation had been conducted. Patient #4 was discharged from the inpatient unit on September 8, 2015 at 11:30 a.m. without receiving OT and PT services.

The review of the case manager's documentation revealed the discharge check list had not been completed. Staff #5 reported the case manager's discharge checklist, documented the patient's discharge needs and what the staff implemented to address the patient's needs and ensure a safe discharge. Staff #5 and Staff #8 reported the case manager's discharge check list should be completed on every inpatient prior to discharge. Staff #5 and Staff #8 verified the case manager's discharge check list for Patient #4 had not been completed. Staff #8 acknowledged that nursing staff and case management staff failed to follow through and ensure the physician wrote orders for Patient #4 to have OT and PT services. Staff #8 verified nursing and case management failed to ensure Patient #4 had been assessed for outpatient OT and PT services as part of the patient's discharge needs.