HospitalInspections.org

Based on interview and documentation review it was determined the Hospital failed to ensure the contracted pathology service was in compliance with all of the Conditions of Participation and that patients' individually identifiable health information was disposed of appropriately to protect their privacy, in accordance with standards of practice.

Refer to TAG # A-0441,

Based on interview and documentation review it was determined the hospital failed to ensure the Quality Assurance activities conducted in relation to the contracted pathology service included evaluation of the method utilized for disposal of of patients' individually identifiable health information and that the method was effective and in compliance with hospital policies .

Refer to TAG # A-0441, A-0267

Based on interview and documentation review it was determined the hospital failed to measure and track how patients' individually identifiable health information was disposed of by the contracted pathology service to ensure all patients' personal privacy was maintained.

Refer to TAG # A-0441

Based on interview and documentation review it was determined the Hospital failed to ensure the confidentiality of all patients medical record information was maintained by the contracted pathology service in accordance with hospital policies.

Findings included:

The agreement between the Hospital and the Pathology Physician's Group was reviewed. The Agreement stated each physician (pathologist) shall comply with the Hospital and Medical Staff By-Laws, rules, regulations and policies, including those of departments and committees. The Pathology Department Chief shall devote such time, attention and energy as is necessary............to provide to the hospital the following administrative and related services. Management and administration of the delivery of all Pathology Services in the Hospital in a manner which complies with the By-Laws of the Hospital and the By-Laws, rules and regulations of the Medical Staff, Departments and Committees and all applicable federal, state and local laws.

The Hospital policy that addressed destruction of medical records was reviewed. The Policy addressed the destruction of medical records of patients whose last episode of care was at least 20 year prior to the review date. The policy did not address any other classification of written and/or electronic documentation containing patients' individually identifiable health information that was no longer needed and was to be discarded. This was the only policy provided when the Surveyor requested all Hospital policies and procedures related to disposal of patient medical records and documentation containing any personal health care information/personal identification information.

The Hospital policy that addressed contracts with business associates was reviewed. The Policy stated the Hospital ensures that its Business Associates protect patients' right to privacy in accordance with Health Insurance Portability and Accountability Act (HIPAA), other federal and state law and Hospital's confidentiality/privacy policies. The Business Associate will ensure that any third parties including a subcontractor of the the Business Associate, to whom it discloses Protected Health Information received from, or created or received by the Business Associate on behalf of the Hospital, agrees to the same restrictions and conditions that apply to the Business Associated with respect to the information. At the termination of the Business Associate Contract, if feasible, the Business Associate will return or destroy all Protected Health Information received from, or crated or received by the Business Associate on behalf of the Hospital that the Business Associate still maintains in any form and retain no copies of such information or, if such return or destruction is not feasible, extend the protections of the Business Associate Contract to the information and limit further uses and disclosure to those purposes that make the return or destruction of the information infeasible.

The Contracted billing service had failed to follow the Hospital's policy that address contracts with business associate as evidenced by its inappropriate disposal of documents containing personal health care information and personal identification information at a trash transfer station.

The Chief of Pathology was interviewed in person on 8/18/10 at 1:45 PM. The Chief of Pathology said all he/she could find was the initial proposal, from the billing company in 1984, to provide bill services to the Pathology Group and he/she did not think the Pathology group ever had a formal contract with the billing company.

The Director of Quality Management was interviewed in person on 8/18/10 at 12:15 PM. The Director of Quality Management said the Pathology group does participate in the Hospital's quality assessment program however all of the data related to clinical performance. Information/ data related to how the Pathology Physician's Group was handling the disposal of patients' individually identifiable health information that was provided to them for billing purposes, by the Hospital, was never a part of the quality indicators collected and reviewed.

Based on interview and documentation review it was determined the Hospital failed to ensure there was an adequated and established system in place to ensure unauthorized individuals could not access the records of patient provided services by the hospital contracted pathology service.

Findings included:

Refer to Tag A-0441