HospitalInspections.org

Based on observation, hospital policy review and staff interviews, the critical access hospital (CAH) failed to ensure hospital staff safeguard the confidentiality of patient medical record information through the following:

1) unsecured patient medical record information in shred bins in the Emergency Department (ED), inpatient/outpatient registration area and Medical/Surgical Deparment;

2) unsecured faxed patient medical record information in the RehabilitationTherapy Department; and,

3) unsecured posted listing of patient names (both inpatients and outpatients) along with their scheduled laboratory testing information in the Laboratory Department.

The culmulative effect of these processes resulted in the potential for patient Protected Health Information to be available for unauthorized access/ use of the information at multiple locations in the hospital, affecting patients receiving both inpatient and outpatient hospital services (see C1120).

Based on observation, hospital policy review and staff interviews, the critical access hospital (CAH) failed to ensure hospital staff safeguard the confidentiality of patient medical record information against the potential of unauthorized access/ use of the information through unsecured patient medical record information in shred bins in the Emergency Department (ED), inpatient/outpatient registration area and Medical/Surgical Deparment, unsecured faxed patient medical record information in the Rehabilitation Therapy Department and the listing of patient names (both inpatients and outpatients) along with their scheduled laboratory testing information in the Laboratory Department. The CAH reported an average census total of 320 patients per month in the ED, an average of 1300 laboratory tests per month, an average of 80-100 outpatient therapy patients per month and a daily average census of 4 patients per day in the Medical/Surgical Department.

Failure to ensure CAH staff safeguarded the confidentiality of patient medical record information against the potential of unauthorized access/use placed patients at risk for loss of privacy and theft of their protected health information.

Findings include:

Review of the hospital's policy, titled Securing and Safeguarding of Health Information Management, dated 6/23/23, revealed the purpose of the policy was to provide direction and guidelines for the security and safeguarding of health and hospital information against loss, destruction, tampering and unauthorized access and uses. The policy directed staff to strive to ensure that medical records and other information medium were maintained in secure and restricted areas with access limited to those staff members who have a "need to access" based on either patient care needs and/or position responsibilities.

1. On 3/26/24 at 8:04 AM, observation during a tour of the Medical-Surgical Department with the Medical Surgical Nursing Supervisor and Administrator revealed the Medical Surgical Department was located on the second floor of the hospital. Observation of Room 212, identified by the Medical Surgical Nursing Supervisor as one of two physician sleeping rooms revealed a partially open door with the room light off. Upon entering the room, the surveyor observed patient Protected Health Information (PHI) located face up on the top of a filing cabinet and no persons present in the room.

On 3/26/24 at 09:10 AM, observation revealed a shred bin that contained unsecured Protected Health Information (PHI) alongside the wall of the Medical-Surgical Department nurse's station. The Surveyor noted that the door to the shred bin was partially open and, upon further inspection, observed the bin was approximately half-full of unshredded patient medical records.

2. On 3/26/24 at approximately 11:30 AM, observation, during a tour of the Laboratory Department with the Staff V, Laboratory Leader, revealed two large television monitors that displayed the first and last names of 12 patients, a combination of inpatients and outpatients, with their scheduled lab tests to be drawn.

During an interview on 3/26/24, at the time of the tour, Staff V, Laboratory Leader, introduced the surveyors to a laboratory equipment technician who was present in the lab at the time of the tour. The laboratory equipment technician was not an employee of the hospital and would have no reason to have access to patient PHI. Staff V, Laboratory Leader, revealed staff never turned off the television monitors and they kept the door to the laboratory unlocked at all times. Staff V, Laboratory Leader, confirmed that housekeeping and maintenance had access to the area and were able to view the information displayed on the monitors.

3. On 3/26/24 at 2:28 PM, the surveyor entered the hospital's Health Information Management (HIM) Department, which was located on the first floor of the hospital, with the hospital Administrator. Observation of the room revealed 2 entry doors, one door had a lock with a keypad code entry, and the other entry door had a lock with a key entry. The room had a wall with multiple slots. Each of the slots contained documents with patient health information protected with a cover sheet over the patient's information. The surveyor observed one person in the room, Staff M, Quality Control Index Technician.

In an interview, during the same observation, Staff M, Quality Control Index Technician (QCIT), reported the HIM Department had a shred bin with patient medical information that stayed in the department until the contracted shredding company came to remove it. The Administrator reported there were several shred bins located throughout the hospital.

4. On 3/26/24, starting at 2:42 PM, tour of the hospital with the Administrator for the purpose of locating the shred bins throughout the hospital revealed the following:

a. Observation of the hospital's Emergency Department (ED) revealed an unlocked shred bin with a lid located behind the nurses' station and filled more than halfway with unshredded PHI. The nurses' station was open on either side with no physical restrictions to access the area behind the nurses' station. The ED staff included Staff N, RN, Staff O, RN and Staff P, Physician.

In an interview, during the same ED observation, Staff O, RN, reported the lock on the bin had recently broken and hospital staff had not replaced it yet. Staff N, RN, did not think that patients or visits would have access to the unlocked shred bin. Staff P, Physician, reported the potential existed for no staff to be present in or around the nurses' station area in the event a patient coded (the type of emergency treatment a person would receive if their heart or breathing would stop) and all staff responded.

b. Observation of the hospital's registration area for all patients seeking outpatient and ED services revealed the area to be located directly inside of the main hospital entrance and to consist of two offices enclosed by glass. A staff person was seated in one of the offices talking with a patient. Observation of the second office revealed the light to be on, the door partially shut and no one present. Upon entering the office, the surveyor noted an open trash can located under the desk in the room and half-filled with unshredded PHI. The two registration offices were separated by a glass door that was open at the time of the observation.

In an interview, during the same observation of the hospital's registration area, when asked if there was a potential for someone to access the patient healthcare information in the open trash can, the Administrator confirmed this was a possibility. The Administrator reported the registration staff worked 7:00 AM to 5:00 PM, and they locked the offices outside of those hours. Registration staff would leave the registration office area to take patient's to the ED or laboratory at times. The Administrator explained there were several cameras monitoring the registration area and offices, and they would catch someone if they took the information.

c. Observation of the Medical/Surgical Department revealed an unlocked shred bin located behind the open nurses' station. The shred bin had a lock on it, but the lock was not engaged. The shred bin was more than half filled with unshredded PHI. The shred bin included a sign located on the front of the bin which directed staff to please lock the bin after emptying the bin.

In an interview, during the same observation of the Medical/Surgical Department, Staff K, RN, reported they had been told by other nursing staff that there was something wrong with the lock on the bin and to use a pair of scissors to move the lock between the open and closed position. Staff K, RN, demonstrated how to move the lock to the open or locked position with the use of a pair of scissors. Staff K, reported the key for the shred bin was missing. Staff K, RN, reported there were times that the nurses' station would be left unoccupied while the staff present were working with patients and there was a potential for unauthorized persons to gain access to the patient healthcare information.

d. Observation of the Rehabilitation Therapy Department (physical, occupational and speech therapy) revealed the area to be wide open with a large desk/reception area, waiting area off to the side and unrestricted access via the elevator or stairs. The large desk included a fax machine with several documents which contained patient identifiable healthcare information sitting on the print tray of the fax machine. One staff person was present, Staff Q, Physical Therapy Assistant (PTA). The surveyor did not observe a shred bin for the area.

In an interview, during the same observation of the Rehabilitation Therapy Department, Staff Q, PTA, reported staff worked in the Rehabilitation Therapy Department 8:00 AM to 4:30 PM, and sometimes, an occupational therapist would come in before 8:00 AM. Staff Q, PTA, reported this was just the fourth time Staff Q had worked at this hospital. Staff Q, PTA, reported she was the only staff person currently in the area. Staff Q, PTA, explained the faxed information was already present in the print tray when Staff Q arrived. Staff Q, PTA, explained that when she came into the department to work, she did not touch the faxes and left them on the machine. Staff Q, PTA, reported they scheduled patients at 40 minute intervals and there was a potential for patients or other persons to be in the area with no one present at the reception desk. Staff Q, PTA, reported the fax machine would just print the information as the information came in. The Administrator reported housekeeping came in to clean the area mid-afternoon daily.

5. On 3/27/24 at 10:55 AM, during an interview, the Medical Surgical Nursing Supervisor reported the lock on the shred bin located in the Medical/Surgical Department containing patient PHI was not broken and they did have a key for the lock on the bin. The Medical/Surgical Nursing Supervisor did not know why Staff K, RN, reported the need to use scissors to unlock the shred bin, or why Staff K, RN, thought the lock was broken. The Medical/Surgical Nursing Supervisor reported the guy collecting the information for shredding had just recently been there, but was usually good about relocking the shred bin after emptying the bin.

Observation of the shred bin located behind the nurses' station against the back wall in the Medical/Surgical Department revealed the shred bin to be locked. The Medical/Surgical Nursing Supervisor reached into an unlocked drawer located in the nurses' station, pulled a key and demonstrated how the key unlocked and locked the bin.