HospitalInspections.org

Based on hospital document review, observations, and interviews, the hospital's governing body failed to ensure each patient's rights were protected and promoted, including to ensure the confidentiality of patient records were maintained when 37 of 37 patient records were breached. The hospital's non-compliance placed all patients in a serious and immediate threat and placed them in an Immediate Jeopardy (IJ).

The findings include:

Review of hospital documentation provided to patient's titled, "Patient Rights and Responsibilities," revised 10/05/2018, revealed " ...You have the right to be treated with consideration, respect and dignity ...You have the right to receive care in a safe setting, to be free from neglect, exploitation ...You have the right to privacy and to confidentiality of your clinical records..."

Review of hospital policy titled, "Patient/Resident Rights- [Name of hospital ownership/organization]," revised 7/11/2023, revealed "... [Name of hospital ownership/organization] is committed to the observance of each patient/resident's rights ..."

Review of hospital documentation titled, "Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Corrective Action Plan Procedural Guide," dated 8/1/2022, revealed "...level 3: Deliberate or purposeful privacy or security violations, noncompliant with the law, without harmful intent...Failure to ensure security policies and procedures are followed...level 4: Deliberate or purposeful privacy or security violations, noncompliant with the law, with harmful and/or malicious intent...Acquisition, access, use, or disclosure of protected health information in a manner not permitted by law which compromises the security or privacy of the protected health information..."

Review of hospital documentation titled "[Hospital] Patients Impacted by HIPPA Violations," with the HIPPA Compliance Officer on 8/29/2024 at 9:15 AM, revealed the compliance investigations of patients who had received care at the hospital were impacted by "Impermissible Access" of PHI as follows:
June 2024 - 28 patients.
July 2024 - 4 patients.
August 2024 - 5 patients.

Continued review revealed the "Impermissible Access" of PHI by the hospital employees were not permitted, according to the hospital policy, to gain access to the PHI records of 37 patients from June-August 2024.

Review of a Correction Action Notice dated 6/20/2024, revealed an Unlicensed Employee #1, received a "Final Written Warning" for HIPAA Violation when the employee accessed multiple patients [28 patients] without a HIPAA permitted reason. The information accessed included patients' demographic information- name, Date of Birth (DOB), age, address, phone numbers, last 4 of SSN, name of primary care physician, email address, language, religion, ethnicity, race, and an overview of the patients' medical records.

Review of Correction Action Notice dated 7/23/2024, revealed Certified Nurse Aide (CNA) #2 received a "Final Written Warning" for Health Insurance Portability and Accountability Act (HIPAA) Violation when the employee accessed a patient's PHI that included patient demographic information- name, Date of Birth (DOB), age, address, phone numbers, last 4 of SSN, name of primary care physician, email address, language, religion, ethnicity, race, and an overview of the patient's medical record.

Review of Correction Action Notice dated 7/31/2024, revealed Nurse Aide (NA) #2, received a "Final Written Warning" for HIPAA Violation when the employee accessed a patient's PHI that was not in employee's care on four (4) separate dates and occasions.

Review of Correction Action Notice dated, 8/1/2024, revealed Nurse Aide (NA) #1, received a "Final Written Warning" for HIPAA Violation when the employee accessed a patient's PHI that was not in employee's care on seven (7) separate dates and occasions.

During an interview on 8/22/2024 at 9:45 AM, the Risk Manager stated Risk Management was not aware of any concerns related to PHI breaches by the hospital employees and "...Compliance might have information [regarding any breaches and facilitated interview with the Senior Vice President, Chief Compliance Officer/Chief Audit Executive]..."

During an interview on 8/22/2024 at 1:00 PM, the hospital's QAPI Coordinator confirmed the QAPI committee had not developed, implemented, or maintained an effective, ongoing, hospital-wide, data-driven QAPI improvement program as it related to PHI. According to the hospital's QAPI Coordinator, the beach in the PHI did not meet the criteria to be in QAPI.

During a speaker telephone interview on 8/22/2024 at 1:10 PM, the Senior Vice President, Chief of Compliance Officer/Chief Audit Executive and the HIPAA Compliance Officer confirmed the Unlicensed Employee #1 violated HIPAA and breached PHI for the 37 patients not under her care.

During an interview on 8/28/2024 at 10:00 AM, the Human Resources (HR) Director stated the Unlicensed Employee #1, CNA #2, NA #1, and NA #2 received disciplinary action for their individual breaches of the PHI. The HR Director also stated, "...I think some of them should have been terminated..." She further stated that some of the employees with "Final Written Warnings" had previously breached PHI, continued to receive warnings, and were not always terminated by the hospital. The HR Director stated, "...This is a decision made by Compliance..."

During an interview on 8/29/2024 at 10:30 AM, the Assistant Vice President of Compliance and the HIPAA Compliance Manager stated the hospital tracks and trends the data breaches and in-services were provided to the hospital employees upon hire, annually, and throughout the year. However, there were no further in-service trainings when occurrences with breaches of PHI or HIPAA violations occurred. A recommendation of disciplinary action was made to HR and a letter was sent to the patient or patient's representative when an employees violated HIPAA and breached PHI for patients not under their care. When asked, the Assistant Vice President of Compliance confirmed the PHI breaches were not presented to QAPI.

** cross referrence to §482.13 Condition of Participation: Patient's Rights A hospital must protect and promote each patient's rights. Tag A-0115

** cross referrence to: §482.21 Condition of Participation: Quality Assessment and Performance Improvement Program (QAPI). Tag A-0263

Based on hospital document review, observations, and interviews, the hospital failed to ensure Protected Health Information (PHI) was protected for 37 of 37 patients reviewed for PHI. The hospital failed to ensure patient privacy was protected when 2 random patients (RP) (RP #4 and #5) received care at the emergency room nurses' station and of 3 random patients (RP #1, #2, and #3) who received care in the emergency room waiting area among other waiting patients, families, and visitors.

The failure of the hospital to mitigate risks associated with breaches and potential disclosures of PHI, for which the hospital was entrusted, and the hospital's failure to maintain patients' right to privacy in the emergency department, placed all patients in a serious and immediate threat and placed them in an Immediate Jeopardy (IJ).

The findings include:

1. Review of hospital documentation, provided to patients, titled, "Patient Rights and Responsibilities," revised 10/05/2018, revealed "...You have the right to be treated with consideration, respect and dignity...You have the right to receive care in a safe setting, to be free from neglect, exploitation...You have the right to privacy and to confidentiality of your clinical records..."

Review of a hospital policy titled, "Patient/Resident Rights- [Name of hospital ownership/organization]," revised 7/11/2023, revealed "...[Name of hospital ownership/organization] is committed to the observance of each patient/resident's rights..."

Review of hospital documentation titled, "Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Corrective Action Plan Procedural Guide," dated 8/1/2022, revealed "...level 3: Deliberate or purposeful privacy or security violations, noncompliant with the law, without harmful intent...Failure to ensure security policies and procedures are followed...level 4: Deliberate or purposeful privacy or security violations, noncompliant with the law, with harmful and/or malicious intent ...Acquisition, access, use, or disclosure of protected health information in a manner not permitted by law which compromises the security or privacy of the protected health information..."

2. Review of the hospital's Review of Corrective Action Notices revealed the following:
On 6/20/24 Unlicensed Employee #1 received a Final Written Warning for accessing 28 patient medical records without a HIPAA permitted reason.
On 7/23/24 Certified Nursing Assistant (CNA) #2 received a Final Written Warning for accessing a patient's medical record information, without authorization.
On 7/31/24 Nursing Assistant (NA) #3 received a Final Written Warning for accessing patient PHI on four (4) separate occasions, without authorization.
On 8/1/24 NA #1 received a Final Written Warning for accessing patient PHI on seven (7) separate occasions, without authorization.
On 8/29/24, the hospital's HIPAA Compliance Officer verified through investigation, Unlicensed Employee #1, CNA #3, NA #1, and NA #3, had accessed PHI of 37 patients, without authorization.

During an interview on 8/28/24, the hospital's Human Resource (HR) Director stated some of the above named employees should have been terminated for breaching the PHI.

During an interview on 8/29/24 the Assistant Vice President (VP) of Compliance/HIPAA Manager stated the hospital did not provide additional inservices to staff after the breaches of the PHI had been determined.

3. During survey observations, the hospital's emergency room (ER) physical environment allowed patients to overhear nurses discuss the care, diagnosis, and laboratory (lab) results of other patients. The hospital had 15 designated stretchers placed along the walls and nurses' stations of the ER, without the use of privacy screens, allowing visibility of patients with other patients, visitors and families. The patients who received care were able to be seen by others and their care information could be easily overheard by other patients, families, and visitors.

Refer to A0143 and A0146

Based on hospital documentation review, policy review, employee record review, and interviews, the hospital failed to mitigate risks by not demonstrating evidence of Quality Assurance Performance Improvement (QAPI) associated with breaches of 37 of 37 patients' Protected Health Information (PHI) allowing for potential disclosures of the patients PHI which could potentially have personal and financial impacts on any patient who received care at the hospital, and has placed all patients in a serious and immediate threat and placed them in an Immediate Jeopardy (IJ).

The findings include:

Review of hospital documentation, provided to patients, titled, "Patient Rights and Responsibilities," revised 10/05/2018, revealed "...You have the right to be treated with consideration, respect and dignity...You have the right to receive care in a safe setting, to be free from neglect, exploitation...You have the right to privacy and to confidentiality of your clinical records..."

Review of a hospital policy titled, "Patient/Resident Rights- [Name of hospital ownership/organization]," revised 7/11/2023, revealed "... [Name of hospital ownership/organization] is committed to the observance of each patient/resident's rights ..."

Review of hospital documentation titled, "Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Corrective Action Plan Procedural Guide," dated 8/1/2022, revealed "...level 3: Deliberate or purposeful privacy or security violations, noncompliant with the law, without harmful intent...Failure to ensure security policies and procedures are followed...level 4: Deliberate or purposeful privacy or security violations, noncompliant with the law, with harmful and/or malicious intent ...Acquisition, access, use, or disclosure of protected health information in a manner not permitted by law which compromises the security or privacy of the protected health information..."

Review of Correction Action Notice dated 6/20/2024, revealed an Unlicensed Employee #1, received a "Final Written Warning" for HIPAA Violation when the employee accessed 28 patients' medical records, without a HIPAA permitted reason. The information accessed included patients' demographic information- name, Date of Birth (DOB), age, address, phone numbers, last 4 of SSN, name of primary care physician, email address, language, religion, ethnicity, race, and an overview of the patients' medical records.

Review of Correction Action Notice dated 7/23/2024, revealed Certified Nurse Aide (CNA) #2 received a "Final Written Warning" for HIPAA Violation when the employee accessed a patient's PHI that included patient demographic information- name, Date of Birth (DOB), age, address, phone numbers, last 4 of SSN, name of primary care physician, email address, language, religion, ethnicity, race, and an overview of the patient's medical record.

Review of Correction Action Notice dated 7/31/2024, revealed Nurse Aide (NA) #2, received a "Final Written Warning" for HIPAA Violation when the employee accessed a patient's PHI that was not in employee's care on four (4) separate dates and occasions.

Review of Correction Action Notice dated, 8/1/2024, revealed NA #1, received a "Final Written Warning" for HIPAA Violation when the employee accessed a patient's PHI that was not in employee's care on seven (7) separate dates and occasions.

Review of hospital documentation titled "[Hospital] Patients Impacted by HIPPA Violations," with the HIPPA Compliance Officer on 8/29/2024 at 9:15 AM, revealed the compliance investigations of patients who had received care at the hospital were impacted by "Impermissible Access" of PHI as follows:
June 2024 - 28 patients.
July 2024 - 4 patients.
August 2024 - 5 patients

Continued review revealed the "Impermissible Access" of PHI by hospital employees were not permitted, by hospital policy, to gain access to the PHI records of 37 patients from June-August 2024.

During an interview on 8/22/2024 at 9:45 AM, the Risk Manager stated Risk Management was not aware of any concerns related to PHI breaches by the hospital employees and "...Compliance might have information [regarding any breaches and facilitated interview with the Senior Vice President, Chief Compliance Officer/Chief Audit Executive]..."

During an interview on 8/22/2024 at 1:00 PM, the hospital's Quality Assurance Performance Improvement (QAPI) Coordinator stated the QAPI committee did not develop, implement, or maintain an effective, ongoing, hospital-wide, data-driven QAPI program as it related to PHI. According to the hospital's QAPI Coordinator, breaches in the PHI did not meet the criteria to be in QAPI.

During a speaker telephone interview on 8/22/2024 at 1:10 PM, the Senior Vice President, Chief of Compliance Officer/Chief Audit Executive and the HIPAA Compliance Officer confirmed the Unlicensed Employee #1 violated HIPAA and breached PHI for the 28 patients not under her care.

During an interview on 8/28/2024 at 10:00 AM, the Human Resources (HR) Director, stated the Unlicensed Employee #1, CNA #2, NA #1 and NA #2 received disciplinary action for their individual breaches in PHI. The HR Director also stated, "...I think some of them should have been terminated..." She further stated that some of the employees with "Final Written Warnings" had previously breached PHI, continued to receive warnings, and were not always terminated by the hospital. The HR Director stated, "This is a decision made by Compliance."

During an interview on 8/29/2024 at 10:30 AM, the Assistant Vice President of Compliance and the HIPAA Compliance Manager revealed the hospital tracks and trends the data breaches and in-services were provided to the hospital employees upon hire, annually, and throughout the year. However, there were no further in-service trainings when occurrences with breaches of PHI or HIPAA violations occurred. A recommendation of disciplinary action was made to HR and a letter was sent to the patient or patient's representative when an employees violated HIPAA and breached PHI for patients not under their care. The Assistant Vice President of Compliance confirmed the PHI breaches were not presented to QAPI.

** cross refer to §482.13 Condition of Participation: Patient's Rights A hospital must protect and
promote each patient's rights. Tag A-0115

Based on hospital observations, and interviews, the hospital failed to ensure patient privacy was protected when 2 random patients (Random Patient (RP) #4 and #5) received care at the emergency room (ER) nurses' station and of 3 random patients (RP #1, #2, and #3) who received care in the emergency room waiting area among other waiting patients, families, and visitors. The hospital failed to ensure patients right to privacy was maintained when staff provided care in the emergency room and in the emergency waiting area.

The findings include:

During observations and interviews in the ER and the ER waiting room on 8/21/2024 at 9:23 AM; 8/22/2024 at 9:44 AM, and 3:14 PM; on 8/27/2024 at 8:40 AM and 3:40 PM; and on 8/28/2024 at 6:30 AM, revealed all 35 ER bays were filled with patients along with patients in the designated 15 stretchers that lined the walls and nurses' station of the ER providing opportunity for others to overhear protected PHI and to observe patient care of other patients by the nursing and medical staff.

During an observation on 8/22/2024 at 3:14 PM, in the ER waiting room, revealed the ER waiting area had an overflow of patients with 3 "Results Waiting" chairs that were located near the ER waiting room lobby, where RP #1 and RP #2 were receiving intravenous (IV) fluids and medication in the presence of the other waiting patients, families, and visitors. This setting allowed for opportunities in breaches of the patient's PHI.

During an observation and interview on 8/26/2024, at 3:30 PM, RP #1 and RP #2 were observed in wheelchairs in the ER waiting room with IV fluids infusing and the IV bag hanging on IV poles. RP #2 was observed to have a smaller bag of IV antibiotics infusing in addition to the IV fluids. The nursing staff stated RP #2 was receiving antibiotics for a urinary tract infection (UTI).

During an observation in the ER on 8/27/2024 at 3:15 PM, RP #3 was observed sitting in a wheelchair in the ER waiting room with IV fluids infusing and the IV bag hanging on a pole.

During an observation and interview on 8/28/2024 at 6:40 AM, revealed 2 patients (RP #4 and RP #5) lying on stretchers approximately 4 feet from the end of RP #1's occupied stretcher to the end of the RP #2's occupied stretcher. The two patients' occupied stretchers were placed against the nurses' station, RP #1 and RP #2 were facing each other in clear view, and without the use of privacy screens, or visual barriers between them which allowed the patients opportunity to view the care provided to one another. Due to the short distance between the patients, RP #1 and RP #2 could easily overhear Registered Nurse (RN) #1 and RN #2's verbal report. The surveyor observed and easily overheard verbal report of the off-going shift from RN #1 to the oncoming RN #2 and the verbal reports of the patients status for each individual patient. The surveyor stood on the outside of the nurses' station near RP #1 and RP #2 and easily heard each patients' names, diagnosis, and pending laboratory reports. After RN #1 and RN#2 completed their verbal reports for RP#1 and RP #2, the surveyor asked if either RN #1 or RN #2 were concerned with HIPAA violations with providing oral reports with each patient's PHI. RN#1 stated, "We don't talk that loud for them to hear." RN #1 and RN #2 were informed that the surveyor could clearly hear their reports for each patient while standing near RP #1 and RP #2.

The hospital's ER physical environment allowed patients to overhear nurses discuss the care, diagnosis, and lab results of other patients. The hospital has 15 designated stretchers placed along the walls and nurses' stations of the ER, without the use of privacy screens, allowing visibility of patients with other patients, visitors and families. The patients who received care were able to be seen by others and their care information could be easily overheard by other patients, families, and visitors.

Based on hospital document review, observations, and interviews, the hospital failed to ensure Protected Health Information (PHI) was protected for 37of 37 patients reviewed for PHI. The hospital failed to ensure patient privacy was protected when 2 random patients (RP) (RP #4 and #5) received care at the emergency room nurses' station and of 3 random patients (RP #1, #2, and #3) who received care in the emergency room waiting area among other waiting patients, families, and visitors.

The disclosure of PHI could potentially have personal and financial impacts on any patient that receives or has received care at the hospital. The failure of the hospital to mitigate risks associated with breaches and potential disclosures of PHI for which the hospital was entrusted, placed all patients in a serious and immediate threat and placed them in an Immediate Jeopardy (IJ).

The findings include:

Review of hospital documentation, provided to patients, titled, "Patient Rights and Responsibilities," revised 10/05/2018, revealed "...You have the right to be treated with consideration, respect and dignity...You have the right to receive care in a safe setting, to be free from neglect, exploitation...You have the right to privacy and to confidentiality of your clinical records..."

Review of a hospital policy titled, "Patient/Resident Rights- [Name of hospital ownership/organization]," revised 7/11/2023, revealed "... [Name of hospital ownership/organization] is committed to the observance of each patient/resident's rights..."

Review of hospital documentation titled, "Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Corrective Action Plan Procedural Guide," dated 8/1/2022, revealed "...level 3: Deliberate or purposeful privacy or security violations, noncompliant with the law, without harmful intent...Failure to ensure security policies and procedures are followed...level 4: Deliberate or purposeful privacy or security violations, noncompliant with the law, with harmful and/or malicious intent ...Acquisition, access, use, or disclosure of protected health information in a manner not permitted by law which compromises the security or privacy of the protected health information..."

Review of hospital documentation titled "[Hospital] Patients Impacted by HIPPA Violations," with the HIPPA Compliance Officer on 8/29/2024 at 9:15 AM, revealed the compliance investigations of patients who had received care at the hospital were impacted by "Impermissible Access" of PHI as follows:
June 2024 - 28 patients.
July 2024 - 4 patients.
August 2024 - 5 patients.

Continued review revealed the "Impermissible Access" of the PHI by the hospital employees were not permitted, according to the hospital policy, to gain access to the PHI records of 37 patients from June-August 2024.

Review of Correction Action Notice dated 6/20/2024, revealed an Unlicensed Employee #1, received a "Final Written Warning" for HIPAA Violation when the employee accessed multiple patients [28 patients] without a HIPAA permitted reason. The information accessed included patients' demographic information- name, Date of Birth (DOB), age, address, phone numbers, last 4 of SSN (Social Security Number), name of primary care physician, email address, language, religion, ethnicity, race, and an overview of the patients' medical records.

Review of Correction Action Notice dated 7/23/2024, revealed Certified Nurse Aide (CNA) #2 received a "Final Written Warning" for HIPAA Violation when the employee accessed a patient's PHI that included patient demographic information- name, Date of Birth (DOB), age, address, phone numbers, last 4 of SSN, name of primary care physician, email address, language, religion, ethnicity, race, and an overview of the patient's medical record.

Review of Correction Action Notice dated 7/31/2024, revealed Nurse Aide (NA) #3, received a "Final Written Warning" for HIPAA Violation when the employee accessed a patient's PHI that was not in employee's care on four (4) separate dates and occasions.

Review of Correction Action Notice dated, 8/1/2024, revealed Nurse Aide (NA) #1, received a "Final Written Warning" for HIPAA Violation when the employee accessed a patient's PHI that was not in employee's care on seven (7) separate dates and occasions.

During an interview on 8/22/2024 at 9:45 AM, the Risk Manager stated Risk Management was not aware of any concerns related to PHI breaches by the hospital employees and "...Compliance might have information [regarding any breaches and facilitated interview with the Senior Vice President, Chief Compliance Officer/Chief Audit Executive]..."

During a speaker telephone interview on 8/22/2024 at 1:10 PM, with the Senior Vice President, Chief of Compliance Officer/Chief Audit Executive and the HIPAA Compliance Officer revealed The Unlicensed Employee #1 violated HIPAA and breached PHI for the 28 patients not under her care.

During an interview on 8/28/2024 at 10:00 AM, the Human Resources (HR) Director, revealed the Unlicensed Employee #1, CNA #2, NA #1 and NA #2 received disciplinary action for their individual breaches in the PHI. The HR Director also stated, "...I think some of them should have been terminated..." She further stated that some of the employees with "Final Written Warnings" had previously breached PHI, continued to receive warnings, and were not always terminated by the hospital. The HR Director stated, "This is a decision made by Compliance."

During an interview on 8/29/2024 at 10:30 AM, the Assistant Vice President of Compliance and the HIPAA Compliance Manager stated the hospital tracks and trends the data breaches and in-services were provided to the hospital employees upon hire, annually, and throughout the year. However, there were no further in-service trainings when occurrences with breaches with PHI or HIPAA violations occurred. A recommendation of disciplinary action was made to HR and a letter was sent to the patient or patient's representative when an employee violated HIPAA and breached PHI for patients not under their care.