HospitalInspections.org

Based on observation, policy review and staff interviews, the Critical Access Hospital (CAH) administrative staff failed to secure and protect patient information from unauthorized users. The problem was identified for the locked confidential shred bins located throughout the hospital and in a storage area and the Health Information Management (HIM) Department.

The CAH administrative staff estimated approximately 25,434 patients records
on open shelves and 63 boxes of patient records in the HIM Department and an additional 191 boxes of patient records stored in an outside storage building. The CAH administrative staff identified 18 small confidential collection bins located throughout the CAH and 6 large ones stored in an outside storage building.

Failure to secure the patient information could potentially cause a misuse of patient information and/or stolen identity for the individual patients.

Findings include:

Review of a CAH policy, date 4/14, titled "Employee Access to Minimum Necessary Amount of Protected Health Information (PHI)" defined PHI as information that identifies an individual's medical and billing information and a revealed a table to identify the minimum amount of PHI considered to be minimally necessary to complete job performance by job classification. The table identified Housekeeping (Department Head, Maid, Janitors) required no PHI but responsible to take PHI from confidential containers to truck for shredding and Maintenance required no PHI.

During an interview on 4/19/16, 9:00 AM, and 4/20/16, at 12:30 PM, Staff C, Facilities Director, reported the process for emptying the confidential shred bins included a team of 2 janitors who rounded the facility and emptied the smaller bins into a large one. The janitors obtained the keys for the shred bins from a key safe, opened by a code which is known to the janitors and maintenance staff. The large bins are stored in an outside storage building until the contracted shredding company arrives to shred the materials. Staff C reported the storage shed required a punch code to unlock, which is known to the janitors and his maintenance staff. Staff C acknowledged since the janitors and maintenance staff had the code for the key safe, which held the shred bin keys, and the punch code to enter the shred bin storage area, there would be the potential for these employees to access the PHI unsupervised. Staff C reported the janitors carry a master key, during work hours, and his maintenance staff have a master key, that allows access to the HIM department and the outside storage building. Staff reported there are a total of 6 janitors and 3 maintenance staff (excluding himself) employed by the CAH.

Observation of the HIM department on 4/19/16, at 10:05 AM, revealed a file room with open shelving holding the majority of the departments patient medical records. The department also contained several boxes of patient medical records.

During an interview at the time, Staff D, HIM Director/Privacy Officer, confirmed the patient medical records stored in the HIM department are unsecured when the department closed and these records, in addition to the ones stored in the outside storage building, would allow for unsupervised access to anyone able to access those areas. She confirmed the current process for collecting and storing the PHI in confidential shred bins and confirmed the shred bins contained PHI, for which janitors and maintenance staff would be considered unauthorized users. Staff D acknowledged the current system, with access to the shred bin keys, shred bin storage area, HIM department and HIM outside storage building allowed for the potential of unsupervised access to the PHI.