HospitalInspections.org

Based on review of documentation and interview with staff, it was determined the facility failed to maintain the privacy and confidentiality of patient information as departmental reports with patient identifiers were taken out of the facility. The facility also failed to follow its own policies and procedures.

Findings included:

A review of facility policy #900-RI-06 entitled, "Patient Rights" stated "Brownwood Regional Medical Center respects the rights of patients..." Further review of the policy revealed, "Rules: 3. Patient rights are summarized below E. To security, personal privacy and confidentiality of information."

A review of facility policy #909-MI-19 entitled, "HIPAA Security" stated "Disciplinary action for breaches of confidentiality will be addressed through Information Security Violations standards established by the Multi-Facility and Facility Security Committees. Minimally, standards should reflect the violation guidelines outlined in the procedure below..." Further review of the policy revealed, "Rules: 1. Employees: Employees found in violation of Appropriate Access policies will be confronted with the violation by their manager and the HIPAA Security Official or designee."

In an interview with staff member #2 on 2/28/2012 at 11:30am, it was confirmed that a departmental report was taken home which had patient labels on the documents. Staff member #2 mentioned the report was "how many billable treatments per man hours."