HospitalInspections.org

Based on observations, interviews and review of facility documents, the facility failed to maintain the personal privacy and prevention of unlawful access to 819 patients' hospital information (PHI) when: A hospital obstetrical technician (OB tech) inappropriately accessed 819 medical records in the perinatal department. The OB tech was allowed to continue to work unmonitored for an additional 6 shifts after the initial reporting of unauthorized access. This resulted in the employee accessing 16 additional patient records until she was put on administrative leave.

Findings:

On 12/7/10 at 8:10 a.m., an interview was conducted with the nurse (RN 1) who had initially reported the unauthorized access by the OB tech to the unit's management. RN 1 stated that some of the usual OB tech duties was to set up carts, prepare the operating room (OR), pass the OR instruments and transport patients. RN 1 stated that an OB tech assist's the physician during an infant circumcision and that the OB tech would access the infant's medical record to document the, "time out" (a safety measure that ensures the identity and procedure of a patient prior to under going surgery) prior to a circumcision. RN 1 stated that she could not think of any other reason that the OB tech would need to access the medical record.

RN 1 stated that she was the relief charge nurse on the day she reported the access, (although she could not recall the exact date). RN 1 stated that she observed the OB tech in the nurse's station at one of the computers. RN 1 stated that the OB tech was spending a long time at the computer and she noticed that the OB tech was looking at a patient's chart. RN 1 stated that the OB tech had spent approximately 45 minutes at the computer terminal and that during that time RN 1 would look over at the OB tech "several times" and noticed that she was accessing different patient charts. RN 1 stated that on that day she notified the on-duty, Assistant Department Manager (ADM), the OB tech was looking at non-infant charts. RN 1 told the ADM that she was not sure that the OB tech should be accessing those charts and wanted to know if it was acceptable or not. RN 1 stated that the ADM told her that she would look into it.

RN 1 stated that while on-duty about 1 week later, she observed the OB tech accessing a patient's chart. This patient was not an in-patient, but an outpatient, who was being monitored for her pregnancy. RN 1 stated that she was surprised that the OB tech was proficient at looking at this patient's prior physician's visits. RN 1 stated that she knew that the OB tech did not take care of that type of patient. RN 1 stated that she continued to observe the OB tech access several other charts, however, she did not confront her about it. RN 1 stated that instead on that day, she reported the outpatient and other accesses to the on-duty ADM who she had originally reported the OB tech to. The ADM told RN 1 that the OB tech had been reported and that, "It was being looked into." RN 1 stated that she was unaware whether the ADM had instructed the OB tech to stop accessing charts on that day.

On 12/7/10 at 8:45 a.m., the Perinatal Nurse Manager (PNM) was interviewed. The PNM stated that she had been notified about the OB tech accessing charts by the ADM on 10/11/10. The PNM stated that on that day, she emailed the, "Compliance Manager" (CM) about the incident and asked if her department would run a query to see what charts had been accessed by the OB tech. The PNM stated that the CM was out of the facility for training and had forwarded the email to her assistant who would run a report for the PNM. The PNM stated that the assistant had run a year's worth of data and had contacted her, "after a couple of days," stating that she was unclear as to the results of the report. Per the PNM, she had advised the assistant to wait until the CM returned in order to clarify the results.

The PNM stated that the OB tech did not have a, "business need" to access patients in the labor and delivery department, post recovery, or pregnant outpatients. The PNM stated that she did not speak to the OB tech about her accessing charts and did not monitor her access during this timeframe.

On 12/7/10 at 9:25 a.m., the Compliance Manager (CM) was interviewed. The CM stated that on 10/11/10, she had received an email from the PNM that indicated they might, "have an issue." The CM stated that she was out of town and had forwarded the email to her Quality Analyst for follow-up. The CM stated that when the analyst pulled a year's worth of data, "it was huge" and the analyst was not sure if the data was appropriate information that the OB tech could access. The CM stated that the analyst had called the PNM to discuss the contents of the data, but the PNM did not return her call. The CM stated that upon her return she was involved with Human Resource's (HR) regarding an access incident involving the OB tech and another ADM. The CM stated that she was working with HR and thought that this incident was the same concern that had been reported by the PNM. The CM stated that this delayed the original 10/11/10 investigation requested by the PNM. The CM stated that later on it was clarified that there were two separate issues regarding the OB tech.

The CM produced a series of emails regarding this issue. On 10/11/10, an email had been sent to the CM from the PNM regarding the possible unauthorized access of charts by the OB tech, which was forwarded by the CM to her analyst to aggregate the data. An email from the CM dated 10/20/10 (9 days after the possible detection) to the PNM, had asked if the PNM had received the information that she needed for the OB tech investigation. A reply by the PNM indicated that she had not spoken to the analyst about the report she had put together and asked the CM, "Is there a way to see what medical records, (OB tech name) was looking at?" On 10/25/10, the emails between the CM and PNM indicated that the Compliance Department would run a query of the OB tech's access for 10/11/10. An email dated 10/26/10 (13 days after the possible detection) indicated that a query dated 10/09 to 10/11 was completed and sent to the PNM for review. A reply on the same date by the PNM read, "Thank you for your assistance. This is very concerning. I am investigating further."

On 10/27/10, an email from the Compliance Director (CD), with a subject title that read, "Alleged Breach in L&D (PHI)", indicated that the OB tech had accessed patient charts without authorization. The email indicated that the OB tech had viewed the patient's demographics which contained in part, patient address, any submitted phone numbers(home, work, cell), employer, next of kin and all of the patients' emergency contact information An email to the Compliance Department on 10/28/10 from the PNM showed a request to have an access review of the other OB tech's on the unit. The email also discussed the fact that the PNM had spoken with RN 1 today and that RN 1 had, observed the OB tech on several occasions looking at medical records. RN 1 had told the PNM that she did not access the screens that the OB tech had and that she was "alarmed" that the OB tech may have some other purpose other than curiosity in accessing those charts.

On 10/8/10 at 9:05 a.m., an interview was conducted with the PNM, CM and CD. The PNM reiterated that the OB tech had no business need to access charts in the pregnancy triage area, L&D and post recovery. The group was asked why the OB tech was able to access so many areas and the CD stated that the patient population can be accessed by numerous staff members across the continuum as needed. An example was given by the CD that entailed a floor nurse who accessed a patient in the ICU prior to receiving that patient on the unit. The CD and CM agreed that in this instance, the OB tech's ability to access all the different areas did not raise a "flag" that she was unauthorized to access those particular charts.

The group was asked if the OB tech had been monitored during the investigation and the PNM stated that she had not. The PNM stated that the usual sequence is to put the employee on administrative leave until the investigation was complete. A review of the OB tech's schedule showed that she worked on 10/20, 10/21, 10/22 (an extra shift), 10/23 (an extra shift), 10/25 and was scheduled for 10/27 but was put on administrative leave on that day. A review of the access audit showed that the OB tech inappropriately accessed charts on 10/20 to 10/23 and 10/25. The PNM stated that on 10/27/10, she had, "pulled the OB tech" into her office and told her there was an investigation going on that involved her and that she was now on a paid leave. The PNM stated that she instructed the OB tech not to return to work or call the hospital until she was contacted by a hospital representative. The PNM could give no reason as to why the OB tech was not monitored or relieved of duty upon the detection of the possible breach until 10/27/10 (16 days after detecting the possible breach).

On 11/1/10, the OB tech was called in and interviewed by the CD. The OB tech was asked why she had accessed all the charts and she gave two explanations: 1) That she needed to be aware of the patient information in order to answer any questions the doctors may have regarding the patient and 2) That she was a single parent and needed to be aware of any diseases these patients may have so she can protect herself and her family.

The CD reiterated that when the OB tech accessed these charts, her automatic, "home page" would appear, A review of the last 5 charts accessed by the OB tech revealed that the home page contained information on the patient's medical problem(s), non-hospital problems (such as screening for depression and other sensitive information, if applicable), code status, isolation status and names of the patient's treatment team. The CD stated that the OB tech also accessed every patient's demographic information. A review of the investigation algorithm provided by the CD showed that on 11/3/10 the breach was substantiated (23 days after being detected) and the OB tech was terminated on 11/4/10.

The CD was asked what new processes were put in place to ensure that staff could not access PHI as the OB tech had done. The CD stated that they had re-educated all staff regarding unauthorized access and confidentiality, by in-services, emails and staff meetings. The CD stated that the information was not new, but reinforced to all staff. A review of the OB tech's confidentiality agreement showed that she had signed the same form on 3/7/10 that was associated with the follow-up in-services.

The CD was asked if there were any monitoring processes in place in regards to unauthorized access. The CD stated that the facility implemented two programs around May, 2009. One of the programs was, "Break the glass/Bump the glass" and the other program was "System Activity Monitoring & Auditing." The CD stated that the first process was a tool that was applied to the clinical charts of patients with high profile/risk situations such as public figures, celebrities, gang members, etc. The system puts up a protective warning which asks the user if they want to continue to access this chart and "break the glass." All of these entries are reviewed to ensure that the access was authorized. "Bump the glass" meant that an individual saw the warning message and did not enter the chart. When, "Bump the glass" appeared, the results may be reviewed by the Regional Privacy Officer, but not routinely. The CD and CM were asked if the OB tech had ever broken or bumped the glass. The CM contacted the Regional Compliance Office who emailed back that there was no record of the OB tech breaking or bumping the glass.

The second process was a proactive review of chart access where there was no clear reason why the individual entered the chart, for example the employee was not assigned to the patient, however, he/she lived in the same neighborhood, etc. The CM stated that currently there were no guidelines as to what type of access would be considered unauthorized for an OB tech. The CD and CM were asked if this type of report had ever indicated that the OB tech was accessing charts inappropriately based on the continuous access of patient demographics and they said, "No." A report submitted by the CM showed that the OB tech had accessed 32 charts in 2007 and 41 charts in 2008. However, in 2009 when the facility implemented the two monitoring systems, the OB tech's access increased to 194 in 2009 and continued to climb in 2010 at 552. The CD stated that the OB tech for all purposes, was assigned to the perinatal area, therefore, her access would not have been unusual unless there was an issue.

The CD was asked how they would monitor the access for all staff if there were no identifiable parameters to assist them in recognizing unauthorized access and she stated that the hospital's, "Regional" group were beginning to discuss the efficacy and range of employee access. On 12/7/10 beginning at 9:45 a.m., the following areas were toured and when asked:
1. A certified nursing assistant (CNA) on 4 main, was able to access a patient's medical record in room 319-A.
2. Another CNA on the 4th floor was able to access a psychiatric patient that was currently in the emergency department (ED).
3. A CNA on the 3rd floor was able to access a patient in the ICU.
4. Another CNA on the 3rd floor was able to access another patient in the ED.
5. An OB tech on post partum was able to access an ED overdose patient who was at one of the sister facilities'.

An interview was conducted with the HR Manager (HRM) on 12/8/10 at 9:30 a.m. The HRM stated that when a manager notifies HR about an employee issue, HR will provide guidance for handling the issue. The HRM stated that in the event of a breach, they will usually suspend the employee as soon as they are notified until the investigation is completed.

Based on observation, interview and Policy and Procedure review the facility failed to ensure that a patient had visual privacy during an examination in the emergency Department.

Findings:

During the initial tour of the Emergency Department (ED) on 12/6/10 at approximately 9:40 a.m. a patient (11) was observed in a triage room lying on his back with his shirt raised above his abdomen. There was a nurse in the room with him. The ED manager and the ED coordinator observed this along with the Department. The ED manager stated that he thought the triage nurse may have just finished doing an EKG. When asked if there was a privacy curtain in the triage area both the ED manager and coordinator stated that there were privacy curtains in each triage room. The triage rooms have large glass windows that face the waiting room in the ED. During an interview at 2:20 p.m. on 12/7/10, the ED manager acknowledged that the nurse should have closed the curtain to maintain visual privacy for the patient.

Review of a document titled Patient Rights and Responsibilities, approved 7/10, showed that under 6.2 Privacy and Confidentiality A) The patient has the right, within the law, to personal and informational privacy, as manifested by the right to: 9. Expect the Hospital to maximize the patient's visual and auditory privacy during interview and examinations.

Based on interviews and review of Policies and Procedures the facility failed to follow it's policies and procedures regarding confidentiality of patient records when an employee accessed unauthorized patient records.

Findings:

On 11/3/10 the facility reported to the Department that an Obstetrics technician (OB tech) had accessed patient records without authorization. On 12/7/10 at 8:10 a.m., an interview was conducted with the nurse (RN 1) who had initially reported the unauthorized access by the OB tech to the unit's management. During the interview RN 1 stated that some of the usual OB tech duties was to set up carts, prepare the operating room (OR), pass the OR instruments and transport patients. RN 1 stated that an OB tech assists the physician during an infant circumcision and that the OB tech would access the infant's medical record to document the, "time out" (a safety measure that ensures the identity and procedure of a patient prior to under going surgery) prior to a circumcision. RN 1 stated that she could not think of any other reason that the OB tech would need to access the medical record.

RN 1 stated that she was the relief charge nurse on the day she reported the access, (although she could not recall the exact date). RN 1 stated that she observed the OB tech in the nurse's station at one of the computers. RN 1 stated that the OB tech was spending a long time at the computer and she noticed that the OB tech was looking at a patient's chart. RN 1 stated that the OB tech had spent approximately 45 minutes at the computer terminal and that during that time RN 1 would look over at the OB tech "several times" and noticed that she was accessing different patient charts. RN 1 stated that on that day she notified the on-duty, Assistant Department Manager (ADM), the OB tech was looking at non-infant charts.

In an interview on 12/18/10 the Compliance Director (CD) was asked if there were any monitoring processes in place in regards to unauthorized access. The CD stated that the facility implemented two programs around May, 2009. One of the programs was, "Break the glass/Bump the glass" and the other program was "System Activity Monitoring & Auditing." The CD stated that the first process was a tool that was applied to the clinical charts of patients with high profile/risk situations such as public figures, celebrities, gang members, etc. The system puts up a protective warning which asks the user if they want to continue to access this chart and "break the glass." All of these entries are reviewed to ensure that the access was authorized. "Bump the glass" meant that an individual saw the warning message and did not enter the chart. When, "Bump the glass" appeared, the results may be reviewed by the Regional Privacy Officer, but not routinely. The CD and Compliance Manager (CM) were asked if the OB tech had ever broken or bumped the glass. The CM contacted the Regional Compliance Office who emailed back that there was no record of the OB tech breaking or bumping the glass.

The second process was a proactive review of chart access where there was no clear reason why the individual entered the chart, for example the employee was not assigned to the patient, however, he/she lived in the same neighborhood, etc. The CM stated that currently there were no guidelines as to what type of access would be considered unauthorized for an OB tech. The CD and CM were asked if this type of report had ever indicated that the OB tech was accessing charts inappropriately based on the continuous access of patient demographics and they said, "No." A report submitted by the CM showed that the OB tech had accessed 32 charts in 2007 and 41 charts in 2008. However, in 2009 when the facility implemented the two monitoring systems, the OB tech's access increased to 194 in 2009 and continued to climb in 2010 at 552. The CD stated that the OB tech for all purposes, was assigned to the perinatal area, therefore, her access would not have been unusual unless there was an issue.

The CD was asked how they would monitor the access for all staff if there were no identifiable parameters to assist them in recognizing unauthorized access and she stated that the hospital's, "Regional" group were beginning to discuss the efficacy and range of employee access. On 12/7/10 beginning at 9:45 a.m., the following areas were toured and when asked:
1. A certified nursing assistant (CNA) on 4 main, was able to access a patient's medical record in room 319-A.
2. Another CNA on the 4th floor was able to access a psychiatric patient that was currently in the emergency department (ED).
3. A CNA on the 3rd floor was able to access a patient in the ICU.
4. Another CNA on the 3rd floor was able to access another patient in the ED.
5. An OB tech on post partum was able to access an ED overdose patient who was at one of the sister facilities'.

Review of a facility policy titled Patient Rights & Responsibilities, approved 7/10, revealed under 6.2 Privacy and Confidentiality, A. The patient has the right, within the law, to persoanl and informational privacy, as manifested by the right to: 5. Have the medical information/medical record read only by individuals who have legitimate and authorized access to the information. Other individuals may access the medical information/medical records only after patient or his/her legally authorized representative provides authorization in writing.

Based on medical record review and staff interview, the facility failed to ensure that all records contained reports of treatment/monitoring of the patient's condition during transport by ambulance to another hospital in one of one transported patient's record.

Findings:

Patient 6's record was reviewed on 12/7/10 beginning at 2:05 p.m. During the patient's hospitalization, it was determined that a cardiac catheterization was required. The patient was transported to another hospital approximately 14 miles away where the procedure was done and the patient was returned to this hospital. No documentation from the transport agency and monitoring of the patient during transport was found in the medical record.

On 12/8/10 at 10:45 a.m., the record was re-reviewed with the Clinical Informatics Coordinator who confirmed that there was no ambulance report and that this report should be in the record to document the monitoring of the patient during transport back and forth. This failure to include the ambulance report promptly in the patient's record may have resulted in health care staff not having access to information necessary to monitor the patient's condition.