Bringing transparency to federal inspections
Tag No.: C1120
Based on observation, document review, and staff interviews, the Critical Access Hospital's (CAH) administrative staff failed to ensure the Health Information Management (HIM) staff kept patient medical information secure from unauthorized access in 1 of 1 HIM office. Failure to keep patient medical information confidential could potentially result in theft of a patient's information and potentially result in identity theft. The Director of Revenue Cycle identified the department stored approximately 20 to 24 paper patient records at a time.
Findings include:
1. Review of the CAH policy titled "Security & Protection of the Medical Record in Paper Form," approved 9/2020, revealed in part, "To prevent unauthorized access to patient medical records ... HIM staff is present in the department Monday thru Friday, 6 a.m. to 5:00 p.m. The department is locked during all hours ... After hours retrieval of paper medical records will be limited to Nursing Staff for the purpose of patient care ... Access to the department after hours is limited to Providers, House Supervisors, Executive Team, the Director of Plant Operations and those employees that work in that area."
2. Observation upon entry into the HIM department, on 11/09/2020 at 4:45 PM, revealed both department doors required an employee identification badge to unlock the doors. Observation in the department revealed an open shelving unit with file crates, which held patient medical records filed for provider signatures or other required documentation.
3. Review of a CAH employee identification badge access report from 10/02/2020 to 10/28/2020, generated to identify the employees who accessed the HIM department, revealed 2 employees (Greeter #1 and Greeter #2) accessed the area before or after staffed hours, whose job functions do not include the need to access medical records.
Greeter #1 used badge access to enter the HIM department 21 times from 10/02/2020 to 10/28/2020 prior to 6:00 AM, when HIM staff were not present.
Greeter #2 used badge access to enter the HIM department 34 times from 10/02/2020 to 10/28/2020 after to 5:00 PM, when HIM staff were not present.
4. During an interview at the time of the observation, on 11/09/2020 at 4:45 PM, the Director of Revenue Cycle reported the staff assigned to work in the office and nurses had badge access to enter, in addition to greeters. The Director of Revenue Cycle confirmed the unsecured patient information included information such as patient names, date of birth, medical record numbers, diagnoses, addresses, test results, etc, and greeters do not need access to the patient information in order to perform their job functions.
30076