HospitalInspections.org

Based on record review and interview the facility failed to have a process to inform patients of their rights while admitted to the hospital for 24 (P[Patient]1-24) out of 24 (P1-P24) patients reviewed for patient rights and all patients admitted to the hospital are affected. This deficient practice can lead to patients not being fully involved in their care and unknowingly having their rights violated.

The findings are:

A. Record review of facility policy titled, "Patient Bill of Rights and Responsibilities" dated 01/15/2011 states under "Policy: [Facility Name]'s policy is to inform all patient's/patient representative's of their rights and responsibilities in accordance with Federal and State Law. Under "Procedure" it states ". . . 2. At the time of registration all patients, except in an emergency will be informed of their rights and rules and regulations governing their conduct and responsibilities during their stay in the hospital. 3. Receipt of such information and any amendments to it, must be acknowledged in writing and becomes part of the medical record. . . F-850-01-055-1 Patient's Bill of Rights and Responsibilities [document referenced in the policy.]

B. Record review of facility document titled, "Patient Bill of Rights and Responsibilities" dated 05/19/2010 revealed a four (4)-page document that meets State and Federal Regulations for informing patients of their rights. On page 4 it states, "my signature: I acknowledge receipt of a copy of the Patient's Bill of Rights and Responsibilities provided to me by [facility name]."

C. Record review of the facility admission packet, undated, did not reveal evidence of information on the patient bill of rights and responsibilities and did not reveal the signature page referenced above in finding B.

D. Record review of 24 patient's (P1-P24) electronic medical records revealed that patients did not sign a receipt acknowledging they received or were notified of their rights and responsibilities.

E. During an interview on 08/23/2023 at 10:58 AM with Staff (S)14, Patient Care Tech, it was asked if there was information about the patient bill of rights and responsibilities given during the registration process? S14, Patient Care Tech confirmed that information on the patient bill of rights and responsibilities was not in the admission packet given to the patient.

F. During an interview on 08/23/2023 at 3:05 PM with S18, Registration clerk, it was asked where one would find the "Bill of Rights and Responsibilities Acknowledgement Receipt. S18, Registration clerk confirmed that it would not be found anywhere in the patient's records as it is not used in the registration process.

Based on record review, interview and observations, the facility failed to maintain the personal privacy of patients including but not limited to the patient's location in the hospital; demographic information the hospital has collected on the patient, such as name, date of birth, age; or information on the patient's medical condition. The Protected Health Information (PHI) was not protected for 5 of 28 (P (Patient)14 and P25, P26, P27 and P28) of 28 (P1-P28) patients. This deficient practice is likely to lead to direct inappropriate disclosure of PHI and increased risk of misuse and breach of PHI.

The findings are:

A. Record review of facility policy titled, "Safeguards, Disclosures; Documentation" last revised 9/2010, states, "POLICY: [Facility Name] will employ administrative, physical and technical safeguards to protect the integrity, confidentiality, and accessibility of physical computer systems and related buildings and equipment. [Facility Name] also has in place physical and technical safeguards including measures to control access to computer systems and areas where Protected Health Information (PHI) is stored in order to ensure the privacy of protected health information. SAFEGUARDS * Guidelines for Workstation Use. Guidelines on Workstation Use Screen Inactivity: All users handling PHI whose workstations are accessible to the public must have a screen saver that automatically activates after a maximum of 15 minutes with no activity. The screen saver must be set to require a password to reactivate the computer if the workstation is in an open public area or otherwise generally available to passing traffic. If automatic log-off is not available, users handling PHI must log off their computers when leaving the area for an extended period of time (such as lunch breaks) if the workstation is in an open or public area or otherwise generally available to passing traffic."

B. Record review of facility policy titled, "Physical and Environmental Security" last revised 3/2021 states, "Purpose: The purpose of the Physical and Environmental Security Policy is to minimize risk to [Facility Name] information systems and information by addressing applicable physical security and environmental concerns. CLEAN DESK/CLEAN SCREEN REQUIREMENTS: Sensitive information, whether in paper or electronic form, must be protected from unauthorized access and disclosure."

C. During an Observation on 08/21/2023 at 12:15 pm revealed patient's information in open areas as follows:
1) Open computer screen in publicly used hallway on medical surgery floor, showing the following PHI: patient name, date of birth, age, status, medical record number, admission date, and diagnosis for P14.
2) Open computer screen in open area at nursing station in emergency department, showing the following PHI: patient name, date of birth, age, weight, height, Body mass index (BMI), pain level, and medical record number for P25.
3) Open computer screen in publicly used hallway on medical surgery floor, showing the following PHI: patient name, date of birth, age, status, medical record number, admission date, and diagnosis(es) for P26.
4) Open computer screen in publicly used hallway on medical surgery floor, showing the following PHI: patient name, date of birth, age, status, medical record number, admission date, and diagnosis(es) for P27.
5) Open computer screen in publicly used hallway on medical surgery floor, showing the following PHI: patient name, date of birth, age, status, medical record number, admission date, and diagnosis(es) for P28.

D. During an interview with Staff (S)8, Nurse Informaticist, on 08/24/2023 at 9:27 am, when asked what the policy is regarding leaving a workstation with a computer, S8 answered, "To make sure it is turned down or shut off when you leave it." When asked if employees should rely on automatic computer lock screens to come on, S8 answered, "No, do I think we rely on it yes, but no is the answer to the question."