HospitalInspections.org

Based on interview and record review facility staff failed to protect the confidentiality of patient electronic medical records (EMR) by granting access to:
- A total of 2253 individuals in 97 locations (in the facility plus 96 off site clinics/offices), without regularly scheduled monitoring or formal auditing to check for inappropriate accesses.
- The 2253 included approximately 966 individuals who worked in 96 privately owned clinics/offices (not facility employees) who had access to facility EMR without regularly scheduled monitoring or formal auditing to check for inappropriate accesses, who was using the information and for what purpose.
- The total number of locations (97), included six locations with staff whose organizational function could not be identified and 2 locations whose functional relationship to patients could not be identified.
These deficient practices had the potential to expose all patients who were treated for any reason at the facility to undetected, unauthorized access to their personal and medical information. The facility census was 203.

Findings included:

1. Record review of the facility's Health Information Management (HIM) policy titled, "Data Protection and Confidentiality Guidelines for Department" dated 02/12 showed the following:
- The facility had considered the need for access to and appropriate levels of security and confidentiality of data and information.
- To provide a balance between data sharing and data confidentiality individuals and departments have been identified with specific policies/procedures outlining the access to and needs for data and information.
- Clerical personnel under the Revenue Cycle Management/Business Office umbrella will have access to all necessary patient information that allows for appropriate billing, insurance and financial procedures.
- Other individuals, including ancillary personnel and administrative personnel will have access to patient data and information on an as needed basis, restricted to level of authority, in accordance with hospital-wide policies and procedures governing information security and confidentiality.

Record review of the facility's HIM policy titled, "Violation of Confidentiality/Security of Organizational Information" dated 03/12 showed the following:
- The policy was to manage data and information with the highest degree of security and confidentiality.
- All efforts will be undertaken to prevent breach of this confidentiality and security.
- Should data or information confidentiality/security become breached by an individual not in the employ of the facility, (a specific procedure and staff to be notified) will be followed.
- Any violations of confidentiality and privacy of the patient's protected health information will be monitored and reported to identify any negative trends and to assure optimal enforcement of the confidentiality and privacy information policy of this institution.

No steps were identified in the policy to prevent unauthorized access into the patient EMR even though it specified all efforts would be undertaken to prevent breaches in confidentiality and security.

No methods of monitoring or auditing the accesses of EMR were developed to identify the unauthorized accesses or breaches.

2. Record review of a facility investigation of a breach (triggered by a patient complaint and not by preventative measures taken by staff) showed the following:
- A front office clerk, in a privately owned/operated clinic, was granted access EMR in 08/12 when she was hired.
- The owner/operator of the clinic was a credentialed member of the medical staff of the facility.
- The front office clerk worked for the owner/operator and was granted access to the facility EMR because she was employed in the clinic.
- The access request was made to the facility Quality, Risk Management Department and was granted without restriction.
- The clerk inappropriately accessed EMR as early as 04/02/13.
- The facility investigation found 126 patient EMR had been inappropriately accessed by the front office clerk (patients were not treated in the clinic by the owner/operator physician).
- The clerk was terminated as of 09/19/13, after the investigation.

3. During an interview on 10/28/13 at 10:05 AM, Staff D, Director of Quality/Risk Management (Q/RM), stated that:
- All of the clinics were owned by medical staff physicians not the facility.
- The physician owned clinics were staffed with individuals who were not facility employees.
- There were an unknown number of clinics (total number was identified later) who were staffed by an unknown number of non-facility employees (total number estimated later).
- The facility allowed each clinic to have access to the EMR of all the patients (current and past).
- Each year, the facility obtained a signed statement from each clinic owner stating the patient EMR would be kept confidential and per the facility policies and procedures that directed confidentiality of patient EMR.
- Each physician clinic owner was expected to ensure each of the clinic staff maintained EMR with confidentiality and per the facility policies and procedures that directed confidentiality of patient EMR.
- The general process for obtaining EMR access was Staff D's office would receive the request for access; based on the job title of the individual an access was granted; and Staff D did not have knowledge of actual job duties of any of the clinic staff.
- Monitoring and auditing can be done when the facility had a "celebrity" patient or a high profile patient;
- Monitoring and auditing for unauthorized accesses was not done on a routine basis because it took a lot of time (was labor intensive).

4. During an interview on 10/28/13 from approximately 10:15 AM through 11:40 AM, Staff B, Executive Director of Information Systems (computer department) stated that:
- If an individual was granted access to the facility patient EMR, that person could access the physician's history and physical examination done on a patient; physician's progress notes; laboratory test results; radiology results and the discharge summary.
- He didn't know how to limit access done by a specific person.
- Felt there were no methods to audit accesses into the current system;
- There were three "pop up" screens in the current EMR computer system that warned staff that accesses were monitored and asked if the individual really have reason to proceed.
- He knew a person could go past those screens (there was no routine monitoring of those who proceeded past the pop ups).
- He felt he could not "target" a specific staff person or individual to audit.
- He was unsure if monitoring or audits for unauthorized accesses could be performed per individual or per patient.
- All facility physicians (and consequently all of the physician's office staff) can access any patient's EMR at any time.

5. Record review of the facility's tracking of Health Insurance Portability and Accountability Act (HIPPA, the law that protects a person's private health information) complaints showed that:
- From 02/14/12 through 09/24/13 there were 27 investigations;
- Of the 27 investigations, a majority were for inappropriate disclosures of health care information (documents sent to the wrong patient, social media photo posted by an employee; and digital camera theft that contained photos of patient wounds).
- None of the 27 investigations were based on routine monitoring or audits for unauthorized accesses into the EMR system.

6. During an interview on 10/29/13 at 9:00 AM, Staff K, Director of Information Systems stated that:
- She was in a corporation-wide position (not based at the facility).
- She was in charge of security for the information systems used at the facility level.
- An Information Systems "best practice" to monitor accessed records would be to calculate a percentage of the total number of individuals with access and do routine random audits of those individuals to find unauthorized accesses (not currently done).

7. During an interview on 10/29/13 at 10:50 AM, Staff I, Physician Owner/Operator of the clinic where a clerk inappropriately accessed EMR stated that:
- He employed seven or eight individuals in the office.
- He felt all of the clinic staff needed EMR access based on their job duties.
- The terminated clerk was assigned to access patient information but not EMR of 126 patients who were not his patients.
- He and the clinic Office Manager had been monitoring the clerk for performance issues that had not included violations of confidentiality and the privacy of the EMR.
- He felt there must be computer soft ware that could help to prevent inappropriate access of EMR.

8. During an interview on 10/29/13 at 11:06 AM, Staff A, Compliance and Privacy Officer and Staff D reviewed a listing of all individuals with EMR access and confirmed there were six locations listed for which an organizational function could not be identified and there were two locations for which a functional relationship to patients could not be identified.