HospitalInspections.org
Bringing transparency to federal inspections
CHRISTUS SOUTHERN NEW MEXICO
PATIENT RIGHTS: PERSONAL PRIVACY
Tag No.: A0143
Based on record review, interviews and observations, the facility failed to maintain patients' Protected Health Information (PHI) for 42 (P (Patient) 11 - P52) of 42 (P11 - P52) patients. This failed practice can lead to direct inappropriate disclosure and an increased risk of misuse and breach of PHI.
The findings are:
A. Record review of facility's policy titled "HIPPA [Health Insurance Portability and Accountability Act] Security Program" dated 01/30/2023 revealed:
"POLICY: 2. Organizational Management of Security Program: Clean Desk and Screen Policy - All workstation screens must be clear of Confidential Information from their desks when unattended to prevent inadvertent or deliberate viewing by unauthorized individuals."
B. Record review of facility's policy titled "Workstation Use & Security" dated 11/27/2023 stated, "Policy: Acceptable Use: "1. All personnel are responsible for protecting the information resources at their individual workstations and abiding by all Information Security Policies and Procedures that apply to their individual environment." Workstation Security "3. Sensitive, confidential or critical electronic business information or data, including ePHI [electronic protected health information], used or generate at the workstation will be secured."
C. During an observation on 01/29/2024 at 2:52 pm of emergency department nursing station 1 the following PHI was visible on computer workstations:
1) Computer 1 revealed the following PHI list: patient name, age, sex, location, patient details (complaints, reason for visit), temperature, heart rate, oxygen level, weight, status, and length of stay for P11 through P24
2) Computer 2 revealed the following single patient PHI: patient name, age, sex, complaint, blood glucose level, medications, and labs for P19.
3. Computer 3 revealed the following PHI list: location, patient name, age, sex, patient details (patient complaint), medical history, temperature, blood pressure, respiratory rate, oxygen level, weight, status, and length of stay for P12 - P18 and P25 - P35.
4. Computer 4 revealed the following single patient PHI: patient name, allergies, age, sex, height, weight, medical record number, date of birth, financial number, location, reason for admission, patient phone number, and activity view for PHI for P24.
5. Computer 5 had an Electrocardiogram ((EKG) a test that measures the electrical activity of the heartbeat) revealed the following PHI: patient name, identification number, date of birth, age, sex, and EKG results for P19.
D. During an observation on 01/30/2024 at 2:40 pm of nursing station 2 the following PHI was visible on computer workstations:
1. Computer 1 revealed the following PHI list: location, patient name, age, sex, patient details (complaint), temperature, blood pressure, heart rate, respiratory rate, oxygen level, weight, status, and length of stay for P36 - P51.
2. Computer 2 showed the following PHI list: location, patient name, age, sex, patient details (complaint), temperature, blood pressure, heart rate, respiratory rate, oxygen level, weight, status, and length of stay for P36 - P49.
3. Computer 3 showed the following single patient PHI: patient name, allergies, medication administration record summary, age, sex, height, weight, medical record number, date of birth, financial number, location, code status, COVID - 19 test results, admitting diagnosis, and patient phone number for P52.
E. During an interview on 01/30/2024 at 2:45 pm with Staff (S) 3 Charge Nurse, confirmed when staff walk away the from the computer the screen should be locked and should never be open with patient information.