HospitalInspections.org

Based on observation of the electronic system used for Cardiac and Pulmonary Rehabilitation, review of policy and procedures, review of electronic medical records and staff interviews, the Critical Access Hospital (CAH) failed to ensure the confidentiality of medical record information for 1 of 1 Cardiac Rehabilitation records reviewed (Medical Record 41). This failed practice had the potential to affect all cardiac and pulmonary rehabilitation patients. The CAH currently had 6 cardiac rehabilitation patients and no pulmonary rehabilitation patients. For Fiscal Year 2013/2014 (August 1, 2013 to July 31,2014) the CAH had a total of 28 cardiac and 5 pulmonary rehabilitation patients.

Findings are:

A. Interview with the Director of Nursing (DON) and Chief Clinical Officer (CCO) on 7/22/15 from 4:30 PM to 4:45 PM revealed the following information about the Cardiac/Pulmonary Rehabilitation services:
-The CAH uses a computer program that electronically monitors the patient during their exercise session;
-Each session report must be printed off and signed by the cardiac rehabilitation nurse; and,
-Health Information Management scans the printed session information into the electronic record.

B. Review of the electronic medical record for Patient 41 and review of session reports dated 2/10/15, 3/4/15, 4/8/15, 5/4/15 and 5/27/15 revealed these reports contained the following patient health information: vital signs; medications; height; weight; and, comments written by the nurse.

C. Observation on 7/22/15 from 4:20 PM to 4:30 PM revealed cardiac/pulmonary rehabilitation and physical therapy share space and equipment. At this same time the DON demonstrated how to access the software program on the computer located in the area where treadmill, stationary bicycles and other rehabilitation equipment was located. To access the program all the DON had to do was type in the employee generic password to access the CAH's intranet. The DON indicated that all employees use the same password. The DON was able to access the software program and patient names by just typing in the generic password.

D. On 7/23/15 from 8:20 AM to 8:30 PM the Information Technology (IT) Manager and Security Officer demonstrated the following steps to access the cardiac/pulmonary rehabilitation software:
-Pressed the Ctrl (control), Alt (alternate), Delete keys on the key board and the box came up to type in a password;
-The employee generic password was typed in and the desktop came up with several Icons (Icons are shortcuts to access computer programs);
-Next the IT Manager double clicked on the cardiac/pulmonary rehabilitation icon and the software program opened; and,
-Lastly the admissions button was clicked on patient names were displayed.
Any employee in the hospital could access this patient information.

Interview with the Information Technology (IT) Manager and Security Officer on 7/23/15 at 9:05 AM revealed the company for the cardiac/pulmonary rehabilitation software had been called and a second software program was available to provide security for accessing this cardiac/pulmonary rehabilitation software.

E. Review of the policy and procedure titled Information System Security Policy with a last revised date of January 2014 revealed the following:
-Physical Security - "Whenever possible, computers and information systems with PHI [Protected Health Information] will be located in areas that can be secured by lock when unattended....";
-A section on Passwords talked about security of passwords and the creation of strong passwords but lacked information on which computer software programs required employee specific passwords.

Based on record review and staff interview the facility failed to ensure the swing bed patient records included a recapitulation (a concise summary) of their swing bed stay in 3 of 3 (Patients 34, 35 and 36) discharged swing bed records reviewed. The Critical Access Hospital (CAH) had 244 swing bed dismissals from 8/1/13 - 7/31/14. This has the potential to affect all discharged swing bed patients.

Findings are:

A. Review of Patient 34's medical record revealed a lack of a recapitulation of the patient's swing bed stay from 2/13/15-2/16/15.

B. Review of Patient 35's medical record revealed a lack of a recapitulation of the patient's swing bed stay from 4/18/15-4/27/15.

C. Review of Patient 36's medical record revealed a lack of a recapitulation of the patient's swing bed stay from 3/17/15-3/21/15.

D. An interview with the Health Information Management Supervisor on 7/23/15 at 1:10 PM revealed, "That the chart is to be fully completed within 30 days of discharge."

E. The 7/01 Swing Bed Discharge Summary policy and procedure identified:
-The policy as "...the resident will have a discharge summary that includes recapitulation of the resident's stay, a final summary of patient status and a post discharge plan of care..."
-The procedure as "...as a final summary of the resident's status will be done at the time of discharge and will be available for release to authorized persons and agencies, with the consent of the resident or legal representative. This final summary will be done by the RN (Registered Nurse) Director of Social Services or designee..."