HospitalInspections.org

Based on interview and record review, the facility failed to protect and safeguard patients' rights on the confidentiality of medical records containing protected health information (PHI) for 1 of 5 sampled patients. Patient # 5.

Findings:

Patient # 1 was admitted to the facility on March 1, 2020. Record review revealed a Date of Birth: 4/15/1975 - 44 years old
Reason for Admission / Diagnoses- came under Baker Act for depression with suicidal ideation, and overdose on medication. Stated since his stroke 5 years ago, things had piled up. He did not have use of his arm anymore and he could not do the things he used to do, and he was at a breaking point and just wanted to give up. He decided to take a bottle of Trazadone with a bottle of Aspirin all at once. He called his wife and told her what he had done. He was regretful. He was scared that he was going to die. He needed stabilization and was therefore admitted.
Diagnoses: Major depressive disorder, single episode moderate - to - severe, without psychotic symptoms.
Medications: Buspar, Aspirin, Lisinopril, Keppra, Zoloft, Trazadone, Flonase, Seroquel, Rosuvastatin.

Patient was stabilized and was discharged on March 6, 2020 accompanied by wife.

On the day of discharge on March 6, 2020, Patient # 1 received verbal discharge instructions from Staff C. A copy of discharge instructions for another patient (Patient # 5) was given to Patient # 1. The patient and wife discovered the error when they arrived home.

A telephone interview was conducted with Patient # 1's wife on 7/14/2020 at 12:10 PM. Wife said she reached out to the person named in the document (Patient # 5) through Facebook. Wife wanted to know if she received her husband's discharge instructions but was told no. She then told Patient # 5 that 3 pages of her discharge instructions was given to her husband during his discharge from the hospital. Wife stated that Patient # 5 was upset and did not want anyone to know where she lives. She reassured her that her home address was not in the discharge instruction sheet. Wife said she called the facility and spoke to a nurse Staff A, and she went over his discharged instructions with her via phone.

An interview with Staff A on 7/14/2020 at 2:55 PM stated she is a Registered Nurse (RN) and the 3 PM-11 PM Supervisor for the past year. Asked if she recalled a conversation with Patient # 1's spouse about receiving someone else's discharge instruction sheets. Staff A replied; "I remember that conversation but not the person who I talked to over the phone". RN referred to a personal soft file she has and excused self to retrieve the file.
Staff A returned to the conference room after 7 minutes. After reviewing the soft file, Staff A stated she had a long conversation with Patient # 1's wife) date unknown. Wife told me about the medical records of Patient # 5 that was given to them during discharge. Said she went over page by page of her husbands' discharge instructions via phone. Staff A told the wife that some of the discharge instructions that they received had missing pages. Staff A confirmed and stated that she asked the wife several times to please bring the medical records back that does not belong to them. Stated, "I asked his wife once again to return them, but I cannot make her". I then reported this conversation with wife to our previous Risk Manager. Staff A said she reported the Protected Health Information (PHI) breach to the Risk Manager, and said, "I do not know what she did after that". "I was hoping she reported the breach to Administrator or Director of Nursing (DON) then".
When asked if Patient # 1's discharge instruction sheets were given to patient # 5 or to someone else on 3/6/2020, Staff A replied no.
When asked how she came to know about the PHI breach, Staff A said; "I received this urgent note from our previous Risk Manager". The urgent note read:
For: Supervisor
Date: 3/6/2020
Time: 4:45 PM
Telephone call from wife of Patient # 1. Phone #: 540-846-4388.
Message: Patient # 1- 201-A - Discharged at 2:15 PM. In his paperwork was Patient # 5's discharge papers (407-B).

During a telephone interview with Staff C, Registered Nurse (RN) on 7/14/2020 at 9:37 AM in the presence of the Director of Nursing, stated he worked here as an RN on as need basis (PRN). Per medical record review, Staff C was the nurse who discharged Patient # 1 to home. When asked about the discharge process, Staff C stated he made sure there is a discharge order. The Therapist sees the patient before discharge. He checks if patient needed prescription, if needed to be faxed to their pharmacy and or give a hard copy. I make sure they have a follow up appointment with primary physician. I go through and discuss with the patient all the list of their medications, I confirm their placement, who will pick them up or if we provide the facility van as a courtesy. I put all their belongings in a bag, then we bring them direct to the lobby for pick up. They get a hard copy of their discharge instruction sheet. When asked about his knowledge that Patient # 1 received someone else's (Patient # 5) discharge instruction sheets, Staff C paused; and stated, " I do not recall that". When asked if he had a conversation with Staff A RN / evening supervisor about the wrong discharge instruction sheet given to Patient #1, Staff C paused and again said; "no I do not recall that".

During an interview with Staff I / Medical Records Manager / Private Officer in the presence of the Risk Manager and Director of Nursing (DON) on 7/14/2020 at 10:52 AM stated she worked as the Medical Record Manager / Privacy Officer and was in this position for 2 ½ years, full time. When asked about the incident involving Patient # 1 receiving someone else's discharge instruction incident, Staff I stated; "It started with a sticky note that she received from our previous Risk Manager". "The yellow note includes the name of the complainant, (Patient # 1 wife), a phone number and Patient # 5 's name and phone number.
Staff I stated she called Patient # 1's phone, wife answered the phone. "I asked to speak with her husband, but she will not let me speak with him". Wife stated, she has Patient # 5's medical records with list of her medications. Wife stated that she reached out to Patient # 5 through Facebook. Stated that Patient # 5 was worried about other people knowing her address.

Given this information and as the facility's Privacy Officer, Surveyor asked if she did an investigation of this PHI breach. Staff I responded "yes, but not in writing". Staff I failed to investigate the PHI breach thoroughly and stated nothing is written about any investigation. Staff I confirmed at 10:53 AM that she did not interview the primary nurse who discharged Patient # 1, failed to elevate the PHI breach to Corporate Privacy Officer. Staff I stated she only discussed the event with Staff A, the RN nursing supervisor.
When asked if she elevated the incident to Corporate Privacy Officer, she replied; " No, I did not".

Interview with the DON on 7/14/2020 at 11:06 AM when asked if there were any re-education on Health Insurance Portability and Accountability Act (HIPAA) after this PHI breach, DON stated that she was made aware of this incident only today.
Risk Manager stated on an interview on 7/14/2020 at 11:09 AM that she was not aware of an open investigation.

Review of the Facility Privacy Officer policy with Privacy # 1.0 - revision date of 10/12/2017 on page 1 of 6 of the policy read: Policy: Each facility will designate a Facility Privacy Officer. The Privacy Officer will be responsible for the development and implementation of the privacy policies and procedures of the Facility and will oversee the compliance with the Privacy Rule, including the implementation of the HIPAA compliance program-related matters to the Committee, or Chief Executive Officer of the facility and the UHS Corporate Privacy Officer. The Privacy Officer will report on HIPAA Compliance Program- related matters to the Board of Governors of the facility, or its equivalent at least on an annual basis, or more frequently as needed.
Duties and Responsibilities:
The Privacy Officer will have the following responsibilities and duties:
" Be responsible for developing, implementing, and maintaining facility policies and procedures regarding the privacy of PHI, consistent with UHS HIPAA policies and procedures and legal requirements, including state laws applicable to the facility.
" On page 3 of 6 of the policy read: Receive or oversee the receipt of complaints relating to privacy practices and issues.
" Timely investigate, assess the viability and severity of, respond to, document, and maintain documentation on complaints from patients, employees, business associates, and others relating to the facility's privacy practices, in accordance with the UHS Corporate Privacy Officer or Compliance Office to establish a process for receiving, documenting, tracking, investigating, and taking corrective action on all complaints concerning the Facility's privacy policies and procedures (including self-disclosures).
" Implement and maintain necessary administrative, technical and physical safeguards for PHI.
" On page 4 of 6 read: Implement corrective action to mitigate the harmful effects to individuals whose privacy of PHI has been breached, to the extent feasible, and document such actions.
" Page 5 of 6 read: Investigate potential breaches and determine whether there has been a breach of unsecured PHI, notify UHS Corporate Privacy Officer or Compliance Officer and UHS Compliance Office if there has been a breach, take steps to mitigate losses and protect against further breaches; in consultation with senior management at the Facility and the UHS Corporate Privacy Officer, determine whether notification is required and provide timely notification, consistent with UHS HIPAA Breach Notification.

Based on interview and record review, the facility failed to protect and safeguard patients' rights on the confidentiality of medical records containing protected health information (PHI) for 1 of 5 sampled patients. Patient # 5

Findings:

Patient # 1 was admitted to the facility on March 1, 2020. Record review revealed a
Diagnoses: Major depressive disorder, single episode moderate - to - severe, without psychotic symptoms.
Medications: Buspar, Aspirin, Lisinopril, Keppra, Zoloft, Trazadone, Flonase, Seroquel, Rosuvastatin.

Patient was stabilized and was discharged on March 6, 2020 accompanied by wife.

On the day of discharge on March 6, 2020, Patient # 1 received verbal discharge instructions from Staff C. A copy of discharge instructions for another patient (Patient # 5) was given to Patient # 1. The patient and wife discovered the error when they arrived home.

During a a telephone interview with on 7/14/2020 at12:10 PM was conducted with Patient # 1's wife. patient # 1 wife stated she reached out to the person named in the document (Patient # 5) through Facebook. Wife wanted to know if she received her husband's discharge instructions but was told no. She then told Patient # 5 that 3 pages of her discharge instructions was given to her husband during his discharge from the hospital. Wife stated that Patient # 5 was upset and did not want anyone to know where she lives. She reassured her that her home address was not in the discharge instruction sheet. Wife said she called the facility and spoke to a nurse Staff A, and she went over Patient # 1's discharged instructions with wife of patient # 1 via phone.

During an interview on 7/14/2020 at 2:55 PM with Staff A, a Registered Nurse (RN) and is the 3 PM-11 PM Supervisor for the past year. Asked if she recalled a conversation with Patient # 1's spouse about receiving someone else's discharge instruction sheets. Staff A replied; "I remember that conversation but not the person who I talked to over the phone". RN referred to a personal soft file she has and excused self to retrieve the file.
Staff A returned to the conference room after 7 minutes. After reviewing the soft file, Staff A stated she had a long conversation with Patient # 1's wife) date unknown. Wife told me about the medical records of Patient # 5 that was given to them during discharge. Said she went over page by page of her husbands' discharge instructions via phone. Staff A told the wife that some of the discharge instructions that they received had missing pages. Staff A confirmed and stated that she asked the wife several times to please bring the medical records back that does not belong to them. Stated, "I asked his wife once again to return them, but I cannot make her". I then reported this conversation with wife to our previous Risk Manager. Staff A said she reported the Protected Health Information (PHI) breach to the Risk Manager, and said, "I do not know what she did after that". "I was hoping she reported the breach to Administrator or Director of Nursing (DON) then".
When asked if Patient # 1's discharge instruction sheets were given to patient # 5 or to someone else on 3/6/2020, Staff A replied no.
When asked how she came to know about the PHI breach, Staff A said; "I received this urgent note from our previous Risk Manager". The urgent note read:
For: Supervisor
Date: 3/6/2020
Time: 4:45 PM
Telephone call from wife of Patient # 1. Phone #: 540-846-4388.
Message: Patient # 1- 201-A - Discharged at 2:15 PM. In his paperwork was Patient # 5's discharge papers.

During a telephone interview on 7/14/2020 at 9:37 AM with Staff C, Registered Nurse (RN) in the presence of the Director of Nursing, stated per medical record review, Staff C was the nurse who discharged Patient # 1 to home. When asked about the discharge process, Staff C stated he made sure there is a discharge order. The Therapist sees the patient before discharge. He checks if patient needed prescription, if needed to be faxed to their pharmacy and or give a hard copy. I make sure they have a follow up appointment with primary physician. I go through and discuss with the patient all the list of their medications, I confirm their placement, who will pick them up or if we provide the facility van as a courtesy. I put all their belongings in a bag, then we bring them direct to the lobby for pick up. They get a hard copy of their discharge instruction sheet. When asked about his knowledge that Patient # 1 received someone else's (Patient # 5) discharge instruction sheets, Staff C paused; and stated, " I do not recall that". When asked if he had a conversation with Staff A RN / evening supervisor about the wrong discharge instruction sheet given to Patient #1, Staff C paused and again said; "no I do not recall that".

During an interview with Staff I / Medical Records Manager / Privaicy Officer on 7/14/2020 at 10:52 AM in the presence of the Risk Manager. When asked about the incident involving Patient # 1 receiving someone else's discharge instruction incident, Staff I stated; "It started with a sticky note that she received from our previous Risk Manager". "The yellow note includes the name of the complainant, (Patient # 1 wife), a phone number and Patient # 5 's name and phone number.
Staff I stated she called Patient # 1's phone, wife answered the phone. "I asked to speak with her husband, but she will not let me speak with him". Wife stated, she has Patient # 5's medical records with list of her medications. Wife stated that she reached out to Patient # 5 through Facebook. Stated that Patient # 5 was worried about other people knowing her address.

During an interview on 07/14/2020 at 10:53 AM, with Privacy Officer. After reviewing this information as the facility's Privacy Officer staff I, stated to the surveyor was asked if she did an investigation of this PHI breach. Staff I responded "yes, but not in writing". Staff i further stated that she did not interview the primary nurse who discharged Patient # 1, failed to elevate the PHI breach to Corporate Privacy Officer. Staff I stated she only discussed the event with Staff A, the RN nursing supervisor.

Review of written documentation failed to show any investigation, of this breach of PHI was conducted by staff I.

During an interview on on 7/14/2020 at 11:06 AM with the DON was asked if there were any re-education on Health Insurance Portability and Accountability Act (HIPAA) after this PHI breach, DON stated that she was made aware of this incident only today.

During an interview on 7/14/2020 at 11:09 AM, with Risk Manager stated she was not aware of an open investigation.

Review of the Facility Privacy Officer policy with Privacy # 1.0 - revision date of 10/12/2017 on page 1 of 6 of the policy read: Policy: Each facility will designate a Facility Privacy Officer. The Privacy Officer will be responsible for the development and implementation of the privacy policies and procedures of the Facility and will oversee the compliance with the Privacy Rule, including the implementation of the HIPAA compliance program-related matters to the Committee, or Chief Executive Officer of the facility and the UHS Corporate Privacy Officer. The Privacy Officer will report on HIPAA Compliance Program- related matters to the Board of Governors of the facility, or its equivalent at least on an annual basis, or more frequently as needed.
Duties and Responsibilities:
The Privacy Officer will have the following responsibilities and duties:
" Be responsible for developing, implementing, and maintaining facility policies and procedures regarding the privacy of PHI, consistent with UHS HIPAA policies and procedures and legal requirements, including state laws applicable to the facility.
" On page 3 of 6 of the policy read: Receive or oversee the receipt of complaints relating to privacy practices and issues.
" Timely investigate, assess the viability and severity of, respond to, document, and maintain documentation on complaints from patients, employees, business associates, and others relating to the facility's privacy practices, in accordance with the UHS Corporate Privacy Officer or Compliance Office to establish a process for receiving, documenting, tracking, investigating, and taking corrective action on all complaints concerning the Facility's privacy policies and procedures (including self-disclosures).
" Implement and maintain necessary administrative, technical and physical safeguards for PHI.
" On page 4 of 6 read: Implement corrective action to mitigate the harmful effects to individuals whose privacy of PHI has been breached, to the extent feasible, and document such actions.
" Page 5 of 6 read: Investigate potential breaches and determine whether there has been a breach of unsecured PHI, notify UHS Corporate Privacy Officer or Compliance Officer and UHS Compliance Office if there has been a breach, take steps to mitigate losses and protect against further breaches; in consultation with senior management at the Facility and the UHS Corporate Privacy Officer, determine whether notification is required and provide timely notification, consistent with UHS HIPAA Breach Notification