HospitalInspections.org

Bringing transparency to federal inspections

4747 ARAPAHOE AVE

BOULDER, CO 80303

PATIENT RIGHTS: CONFIDENTIALITY OF RECORDS

Tag No.: A0147

34449

Based on observations, interviews, and a review of facility policies and procedures, the facility failed to provide safeguards against loss and unauthorized use of patient protected health information (PHI).

The failure created the potential for unauthorized individuals to access patient information.

Findings

Policy

Facility policy titled Patient Rights and Responsibilities/Speak Up Program, Confidentiality and Privacy, stated patients have the right to have their medical record read only by individuals directly involved in the patient's treatment or monitoring of its quality and/or other individuals may access the record only on the patient's written authorization.

1) The facility did not handle and/or store documents containing patient information in a manner to prevent unauthorized access.

a) On 06/18/14 at 1:07 p.m., a tour of the Internal Medicine Associates clinic was conducted with the Chief Operating Officer (COO) for ambulatory services and the clinic manager. At the reception desk a rack was observed that contained folders with patient information. When asked, the receptionist stated that the files contained documents for patients scheduled the next day, and remain there until the next day. The clinic manager stated that environmental services staff has access to all areas of the clinic after hours, and that s/he did not know patient information had to be secured within the clinic after hours.

b) On 06/18/14 at 1:20 p.m., a tour of Table Mesa Clinic was conducted with the COO and the clinic manager. Files at a workstation and a stack of documents containing patient information were observed in the back office. When asked, the clinic manager stated the documents are not secured after hours, and that environmental services has access to the area after hours. S/he did not know patient information must be secured within the clinic after hours.

c) A tour of Foothills Cardiology was conducted with a facility administrator on 06/18/14 at 1:35 pm. Open grey plastic bins containing patient information were observed under the reception desk. When asked, the clinic manager stated these bins are not emptied each night but are dumped into locked bins for shredding when full. Documents containing patient information were observed on a counter in an unlocked room behind the reception area. The clinic manager stated the documents are not secured after hours. An open room storing paper medical records was observed in an unsecured area accessible by patients and/or visitors during clinic hours. The door did not have a lock. The clinic manager stated that environmental services has access after hours to this area and all other areas observed during the tour. S/he did not know patient information must be secured within the clinic after hours.

d) The COO offered information during an interview on 06/18/14 that the facility has a business agreement with the contracted environmental services agency which includes a confidentiality agreement, and s/he believed this was sufficient to guarantee protection of patient information in the clinics. S/he believed environmental services staff had been educated not to empty the grey bins containing patient information into unsecured bins intended for regular trash and/or regular recycling materials.