HospitalInspections.org

Based on observation, interview, and record review, the hospital failed to ensure the privacy and security of patients' medical information when:

1. Providers did not log out of the electronic health record (EHR) leaving live patient information exposed;

2. Emergency Department (ED) Forms room was not secured;

3. The confidential medical records for six of 67 sampled patients (Patient 66, Patient 65, Patient 64, Patient 60, Patient 59 and Patient 57) were not given to the correct patient;

4. The confidential medical records for 18 of 67 sampled patients (Patient 41, Patient 42, Patient 43, Patient 44, Patient 45, Patient 46, Patient 47, Paatient 53, Patient 61, Patient 62 and Patient 63) were not given to the authorized provider;

5. Contracted business associate vendors had lapses of secure medical record handling;

6. An electrocardiogram (EKG - a mechanical device used to graph the heart's electrical activity) monitor screen was left on and unattended with exposed patient information;

7. A report was left unattended with exposed patient information; and,

8. The clinical records for seven of 67 sampled patients (Patient 11, Patient 35, Patient 36, Patient 37, Patient 38, Patient 39, and Patient 40) were not maintained in a secure area.

These failures exposed patients' confidential medical information, did not maintain patients' right of privacy and had the potential for additional unauthorized access to patients' confidential medical information.

Findings:

1a. During a concurrent observation and interview with the Regulatory Specialist (RS), on 10/11/18, at 9:40 AM, the doorway to the physician charting room, in the ED, was open. Two of five EHR computer terminals in the physician charting room were unmanned, with live screens that exposed patient information. The RS confirmed the physician charting room was unlocked and patient information was exposed on the screens.

1b. During a concurrent observation and interview with the RS, on 10/11/18, at 10:15 AM, two bedside EHR computers, in the ED, displayed live patient data when care providers walked away leaving the live patient data exposed. The RS confirmed the two bedside EHR computers were not closed when care providers walked away.

During a concurrent observation and interview with the ED Supervisor (EDS), on 12/11/18, at 9:45 AM, a care provider walked away from the ED nursing station leaving live patient data exposed on a terminal screen. The EDS confirmed the care provider did not close the terminal screen before walking away.

2. During a concurrent observation and interview with the Emergency Department Charge Nurse (ED CN), on 10/11/18, at 10:35 AM, the ED Forms room, where clinical records for transfer patients were kept, had an open, unlocked door. An ambulance driver was observed inside the ED Forms room. The ED CN confirmed the ambulance driver was not a staff and should not be using the forms room as a break area.

3. The hospital's document titled "Report of Confidentiality Failures" (Health Insurance Portability Assurance Act [HIPAA-Identifiable Information maintained by the healthcare and healthcare insurance industries should be protected from fraud and theft] Report I) was reviewed on 10/11/18. The HIPAA Report I, dated 1/18 through 9/18, indicated six of 67 sampled patients' (Patient 66, Patient 65, Patient 64, Patient 60, Patient 59 and Patient 57) confidential information provided to the wrong patient in the ED when:

on 1/16/18, Patient 66 received another patient's prescription;
on 2/6/18, Patient 65's discharge summary was given to another patient;
on 3/14/18, Patient 64 received another patient's prescription;
on 5/3/18, Patient 60's discharge instructions which included a summary of diagnostic lab blood work, computed tomography (a diagnostic medical test, like traditional x-rays, produces multiple images or pictures of the inside of the body), and urine test were given to the wrong patient;
on 8/18/18, Patient 59's ED medication prescription was given to another patient; and
on 9/12/18, Patient 57 received another patient's prescription.

The hospital's document titled "HIPAA Report II" was reviewed on 12/12/18. HIPAA Report II, dated 12/18, indicated two of 67 sampled patients (Patient 16 and Patient 17) confidential information provided to the wrong patient in the ED when:

on 11/3/18, Patient 16 received another patient's prescription; and,
on 10/30/18 Patient 17's ED discharge summary was given to the wrong patient.

During an interview with the hospital Privacy Officer (Pv Ofcr), on 12/12/18, at 1:15 PM, he stated a safety event committee meeting was held on 10/5/18, and no corrective measures to educate or change processes in the ED had been implemented.

The hospital policy and procedure titled "Corporate Standard Policy: Breach Discovery and Notification (CA Only)" dated 2/9/18, indicated "c. Identifying the scope of the incident, including assuring that the incident is contained and that no further incidents are occurring as a result. . . AH facilities shall. . .and must review internal policies and procedures to determine if changes are necessary to strengthen patient privacy protections and to prevent similar occurrences in the future."

4. The hospital's HIPAA Report I was reviewed on 10/11/18. HIPAA Report I, dated 1/18 through 9/18, indicated 18 of 67 sampled patients' (Patient 41, Patient 42, Patient 43, Patient 44, Patient 45, Patient 53, Patient 46, Patient 47, Patient 61, Patient 62, Patient 63, Patient 52, Patient 50, Patient 51, Patient 49, Patient 48, Patient 54 and Patient 55) medical records were sent to the wrong provider or facility by the hospitals contracted vendor.
Discovered on 2/16/18, Patient 41's report was sent to the wrong provider;
Discovered on 3/31/18, Patient 42's report was sent to the wrong provider;
Discovered on 3/31/18, Patient 43's report was sent to the wrong provider;
Discovered on 4/9/18, Patient 44's report was sent to the wrong provider;
Discovered on 4/11/18, Patient 45's report was sent to the wrong provider;
Discovered on 4/11/18, Patient 53's confidential information was scanned into the wrong patient record;
Discovered on 3/6/18, Patient 46's report was sent to the wrong provider;
Discovered on 4/13/18, Patient 47's report was sent to the wrong provider;
Discovered on 4/5/18, Patient 61's report was sent to the wrong hospital;
Discovered on 4/5/18, Patient 62's report was sent to the wrong hospital;
Discovered on 4/18/18, Patient 63's report was sent to the wrong location;
Discovered on 5/8/18, Patient 52's confidential information was scanned into the wrong patient record;
On 5/9/18, Patient 50's confidential information was scanned into the wrong patient record;
Discovered on 5/9/18, Patient 51's confidential information was scanned into the wrong patient record.
On 5/10/18, Patient 49's confidential information was scanned into the wrong patient record;
On 5/22/18, Patient 48's confidential information was faxed to incorrect location;
On 5/31/18, Patient 54's confidential information was faxed to incorrect location; and
On 6/18/18, Patient 55's confidential information was faxed to incorrect location;

The hospital policy and procedure titled "CPDI [(Vendor Name) Provision Document Imaging] Policy" dated 2/9/18, indicated "Review all images in the batch and verify the patient name, MR # [medical record number], Account #, are correct. . .Relocate electronic images that are incorrectly filed in another account."



40516

5. During a concurrent observation and interview with the RS, on 12/11/18, at 9:33 AM, a portable EKG machine was unattended in the ED. The EKG screen was on and Patient 67's name and date of birth were exposed. The RS stated the screen should not have been left on and "they [EKG technicians] usually print it [test results] and close it [the screen]."

6. During a concurrent observation and interview with the EDS, on 12/11/18, at 9:40 AM, a Medication Order Override Report was left unattended at the right corner of the nurse's station. The corner of the nurse's station was open to the aisle used by staff members, ambulance/paramedic staff, as well as patients and family members. The EDS confirmed the report listed patient names and stated it should not have been left unattended.



39650

7. During a concurrent observation and interview with the Labor and Delivery Manager (Manager 3), the clinical records for seven of 67 sampled patients (Patient 11, Patient 35, Patient 36, Patient 37, Patient 38, Patient 39, and Patient 40) were noted in holders in the hallway outside of patient rooms. Locks were observed on the holders, but were not in use. Visitors were observed in the hallway. No staff was observed near the patients' clinical records. Manager 3 confirmed the patients' clinical records containing confidential patient information were in holders in the hallway and stated the locks were not used.

Based on observation, interview, and record review, the hospital failed to safeguard and secure medical records when:

1. The hospital did not have a process for the accounting of disclosures to patients to determine a reasonable limitation of release of information.

2. Medical records were left unsecured in the emergency department (ED), 4 N telemetry (patients are under continuous electronic monitoring), and labor and delivery departments.

This failure had the potential for patients to be unaware of who had accessed their confidential medical records and unauthorized individuals to access confidential medical records in patient care areas.

Findings:

1. During a concurrent observation and interview with Health Information Management 1 (HIM 1), HIM Lead, and HIM Supervisor, on 12/11/18, at 11 AM, the medical record for a discharged patient (Patient 25) was reviewed. HIM 1, HIM Lead, and HIM Supervisor were unable to provide an accounting of medical record disclosures for Patient 25.

The hospital policy and procedure titled "Release of Information in Profile Request Manager" dated 9/27/17, indicated "Release of information must be logged and tracked to identify when requested, who requested, what was requested and where the information was released."

2a. During a concurrent observation and interview with Regulatory Specialist (RS), on 10/11/18, at 9:45 AM, three racks containing the medical records for each patient in the main treatment area, were noted on the ED central nursing station counter. Two racks held current patient medical records. The third rack held discharged patient medical records. The RS confirmed patient records were on the counter of the central nursing station.

During a concurrent observation and interview with the RS, on 10/11/18, at 10 AM, the RS confirmed Patient 56's radiology order, dated 10/3/18, eight days earlier, was on the ED central nursing station counter.

2b. During a concurrent observation, interview and record review with 4 North Charge Nurse (4N RN), in the 4 North telemetry unit, on 10/11/18, at 11:30 AM, she confirmed paper medical records were in unlocked computer work stations outside patients' rooms. There were 44 patient beds located on the telemetry unit, with workstation shelves outside every other room. 4N RN stated the unit usually was full of patients and the patients' medical records had been kept in the unlocked work stations outside the patients' rooms for many years. 4N RN reviewed the clinical record for Patient 26. She confirmed the clinical record included patient identification stickers with full name and medical record numbers, a conditions for admission consent, the ED triage sheets, medical orders, consents for treatment, a pre-procedure check list for a Peripherally Inserted Central Catheter line (PICC, a long, thin, flexible tube called a catheter used to give chemotherapy and other medicines), and skin wound photos. 4N RN confirmed there was no physical security safeguard, such as a lock, to prevent access to the medical records and protected health information was exposed and the medical record was accessible to unauthorized persons in the hallway at all hours.

2c. During an observation of Labor and Delivery unit, on 12/11/18, at 2:15 PM, patient medical records had been located by each patient room earlier that day, but were re-located to the central nursing station. There were 14 post-partum (after child birth) beds in the Labor and Delivery area.

During an interview with the Labor and Delivery Manager 3, on 12/11/18, at 2:20 PM, she confirmed the patient medical records which had been unsecured, at the patient room work stations, were relocated behind the 3N nursing station at 1 PM on 12/11/18.

Based on interview and record review, the hospital failed to ensure timely and effective pain management for one of five sampled emergency department (ED) patients (Patient 28). This failure resulted in Patient 28's pain not being addressed.

Findings:

During an interview with the Quality Control Nurse and review of the clinical record for Patient 28, on 12/11/18, at 2:52 PM, she confirmed the clinical record indicated Patient 28 had a respiratory rate of 20 (normal rate is 12 to 18 for a healthy adult at rest, elevated rates may indicate pain) and a pain level of ten (10/10 - numerical pain assessment scale from 0-10 in which 0 equals no pain and 10 equals the worst pain), on 12/8/18, at 8:43 PM. No further pain assessments were noted. The ED Clinical Note, dated 12/8/18, at 9:25 PM, indicated poison control had been contacted and had recommended ibuprofen (nonsteroidal anti-inflammatory drug to reduce inflammation and pain) and a mild steroid for itching. The Medication Administration Record (MAR), dated 12/8/18, at 9:35 PM, indicated diphenhydramine (an antihistamine), 50 milligrams (mg - unit of measurement) was administered by injection into a muscle. The hospital was unable to provide written documentation of any pain medication administration and pain management care plan.

The hospital policy and procedure titled "Pain Management Assessment and Reassessment" dated 11/11/15, indicated "All patients presenting to the emergency department shall be questioned as whether or not they are experiencing pain. . . The current national standard for pain assessment is the 0-10 scale in which 0 equals no pain and 10 equals the worst pain. . . A pain management care plan should be initiated for all patients who report pain."

Based on interview and record review, the hospital failed to ensure pre pain assessments (pain level before pain medication was given) and post pain assessments (pain level after pain medication was given) were documented for four of 67 sampled patients (Patient 6, Patient 7, Patient 8 and Patient 15). This failure had the potential to contribute to unmet pain management needs or over medication.

Findings:

During an interview with the Policy and Procedure Coordinator (PPC) and review of the clinical record for Patient 6, Patient 7, Patient 8 and Patient 15, on 12/12/18, at 9:36 AM, the PPC confirmed the following:

Medication Administration Record (MAR), dated 10/18, for Patient 6 indicated on 10/10/18, at 2:46 PM and 8:39 PM, ketorolac (pain medication) was administered. The hospital was unable to provide written documentation of pre or post pain assessments.

MAR, dated 9/18, for Patient 7 indicated ketorolac was administered on 9/7/18, at 6:07 PM, on 9/8/18, at 1:00 AM, and on 9/8/18 at 6:35 AM. The MAR also indicated Ibuprofen (mild pain medication) was administered on 9/8/18 at 9:06 PM and 9/9/18 at 8:01 AM. There were no documentation pain assessments were done before and after administration of both medications.

MAR, dated 9/18, for Patient 8 indicated ketorolac was administered on 9/15/18 at 1:07 PM, on 9/15/18 at 4:40 AM, and on 9/16/18 at 12:02 PM. The hospital was unable to provide written documentation of pre or post pain assessments.

MAR, dated 10/18, for Patient 15 indicated ketorolac was administered on 10/3/18 at 2:26 AM and 10/3/18 at 8:05 AM. The hospital was unable to provide written documentation of pre or post pain assessments.

The hospital policy and procedure titled "Pain Management Assessment and Reassessment" dated 11/11/15, indicated "B. COMPREHENSIVE PAIN ASSESSMENT . . . 2. An age and ability-appropriate comprehensive pain assessment for each pain location shall be performed c. As needed (PRN) when a patient reports new or significant change in pain (location, radiation, quality, level). . . C. PAIN REASSESSMENT 1. A pain reassessment shall be performed within approximately one hour after pain intervention and if pain level increases. . . I. DOCUMENTAL 1. Pain assessments, reassessments, and pain intensity levels are documented in the medical record."