HospitalInspections.org

Based on medical record review, document review, policy and procedure review, and staff interview, the facility failed to ensure the privacy and safety requirements of patients are met. This involved a former patient, Patient #1.


Findings Include:

On 12/20/2016 the State Office Complaint Hotline received a self reported incident from this facility which stated:
"On December 14,2016... a photojournalist with (an area television station) arrived at (the facility) and met with (the facility's Marketing Director)... seeking information and comment related to several screenshots and videos he had in his possession. ... At that time, (the facility's Marketing Director) was not able to verify the validity of the media or the identity of the patient... Approximately two hours later, (the photojournalist) also emailed the images he had in his possession to (the facility's Marketing Director). The screenshots/video files... were then directed to Administration for further review and validation:... Once aware of the above information,... Interim Hospital Chief Executive Officer (CEO); ...Interim Chief Nursing Officer (CNO); ...Risk Management Director; and ...Assistant Administrator review(ed) the images in question. The images appeared to show a patient that may have, at some point, been in our facility as a patient and also identified the (social media) accounts of several (employed and contract) hospital staff members.... Each of the... individuals were interviewed by Administration in the presence of their supervisors and/or ...Interim Human Resources Director. After the interview, it was believed they each had knowledge of, and varying participation in, the posting of images to social media..."

On 12/21/16 at 9:00 a.m. an unannounced visit was made to the facility for the purpose of investigating the self reported incident. During an interview at 9:10 a.m. the hospital's Interim CEO confirmed the facility was aware of the allegations, that the incident was still in the investigating stage, and that their Corporate Office and full legal team were involved. He also stated that their legal team had immediately contacted the social media involved to render unusable the pictures and video. (This documentation was reviewed) The Interim CEO stated that the incidents may date as far back as November 2015 and that some of the photographs might possibly be of patients' medical records. He confirmed that the person in the video was a patient on the west campus and was in a psychotic episode during the recording. The Interim CEO stated that the incident had also been reported to the Attorney General's office on 12/19/2016 and that the facility will follow all applicable laws and regulations.


Review of Patient #1's medical record confirmed she was a patient at the hospital's West Campus, which houses adult and adolescent psychiatric patients.

On 12/21/16 at 9:25 a.m. an interview with the Interim CNO and Quality Assurance Coordinator (QAC) revealed that the six (6) employees involved in the incident were interviewed by Administration in the presence of their supervisors and/or the Interim Human Resources Director. After the interviews the three (3) contract employees had their identification badges and access revoked and were instructed not to return to the facility unless seeking personal emergency medical care. The three (3) hospital employees had their identification badges and access revoked and were instructed not to return to work pending complete investigation. The Interim CNO then stated that the three (3) hospital employees were terminated as of 12/20/16.

All six (6) employee personnel files were reviewed. All of these employees had completed orientation of HIPAA and Confidentiality Training, had updates on this training annually, and had Criminal Background Checks performed.


Review of the facility's "Workforce Information Security Agreement Policy" (Original Effective Date: 1/1/2011 Revision Date 3/14/2016) revealed: "Purpose: ...to promote individual responsibility for assuring confidentiality, security, and compliance by making each user accountable for their conduct while accessing company electronic assets ... Policy: All (facility) employees, must read, sign and abide by the Workforce Information Security Agreement. The Agreement acknowledges specific responsibilities the individual has in relation to information security and the protection of sensitive information, including, but not limit to, confidential patient information, from unauthorized access, use or disclosure ... Monitoring: Monitoring of compliance with this policy shall include a periodic review of the signed agreements on file ...with the list of employees and contractors."



Review of the facility's "Confidentiality Policy" (Original Effective Date: 2/1/2006 Revision Date: 11/4/2016) revealed: "Policy: The use and disclosure of a patient's individually identifiable health information must be in compliance with existing federal and state regulations. The purpose of this policy is to protect the patient, the clinical team and the facility from the inappropriate use and disclosure of individually identifiable health information."



Review of the facility's "Data Breach Notification For Unsecured Protected Health Information Policy" (Original Effective Date: 6/1/2012 Revision Date: 10/17/2016) revealed "Purpose: To provide guidance for determining whether a notification obligation exists following a known or suspected data breach and the steps necessary to comply with notification obligations... (facility) shall notify each individual whose protected health information has been or is reasonable believed to have been accessed ...notification may be made via electronic mail if the individual has agreed to receive notice..and in no case later than 60 calendar days ...".


During an Exit Conference on 12/21/16 at 3:50 p.m. these findings were discussed. The Interim Hospital CEO stated that the social media account in question had been taken down and was considered unusable.