HospitalInspections.org

Based on document review and interview, the facility failed to complete an incident report and failed to document and address deficiencies and remedial actions through its Quality Assessment/Performance Improvement (QAPI) program for one critical event in 2018.

Findings include:

1. Review of the policy/procedure HIP.1A.23 ePHI Security: Security Incident (reviewed 12-17) indicated the following: "This policy governs the general response, documentation and reporting of incidents affecting computerized and electronic information resources, such as theft, intrusion, misuse of data, denial of service, corruption of software... Once identified, the Privacy and ePHI Security Officer will use the Security Incident Report to log and track Incidents... Wherever possible, documentation of such Incidents will cross-reference other event databases. Any Incidents involving these systems will be logged on the Security Incident Form... The ePHI Security Officer will maintain the response (sic) and investigation of each Incident..."

2. Review of the policy/procedure GPC.01.59 Incident/Accident Reporting (reviewed 6-17) indicated the following: "All (health network) staff are responsible for initiating a Variance Report/PIER form/worksheet at the time or, as soon as they become aware of any incident/accident occurrence not consistent with the routine operation of the network..."

3. On 1-29-18 at 1610 hours, the Chief Information Officer, staff A4 confirmed on 1-11-18 at 1800 hours a critical event involving ePHI (electronic Protected Health Information) ransomware with data encryption vs corruption was detected that affected 80% of the IT (information technology) system infrastructure and confirmed no Security Incident Report or Variance Report documentation was initiated for the event.

4. Review of the facility Quality Assessment Performance Improvement Program 2018 (approved 1-18) indicated the following: "The Quality Council has the authority to charter teams for problem solving and resolution... The Quality Council shall have the authority to assess quality problems relative to all Network Members and determine the significance of the problems, establish priorities for investigation, and recommend action to be taken... The Quality Council will meet on a monthly basis or on-call if a Sentinel/Reportable Event indicates a need for Quality Council intervention, i.e., investigation /follow-up... The Quality and Safety Committee... is responsible for reviewing all Hospital Incident Reports and requesting investigations/follow-up as appropriate."

5. Review of the 1-17-18 Quality and Safety Committee meeting, 1-22-18 Quality Council meeting, or 1-24-18 Governing Board meeting minutes lacked documentation indicating the critical event involving the ePHI ransomware and IT system outage was presented or reviewed.

6. On 1-29-18 at 1710 hours, the Chief Information Officer, staff A4 confirmed the January 2018 Quality and Safety Committee, Quality Council and Governing Board minutes lacked documentation indicating the status of the ePHI ransomware and IT system outage including any Quality Committee or Board recommendations and confirmed no other documentation was available.