HospitalInspections.org

Based on review of facility policy, interviews, medical record review, review of facility documentation, the facility failed to ensure a deceased patient was free from abuse and failed to follow the facility policy's related to abuse and patient rights for 1 patient (#3) of 4 patients reviewed for abuse of 27 patients reviewed.

The findings included:

The complaint alleged a social media messenger post was sent to a non-employed individual (community member #1) by a Facility A Nursing Technician (NT) #1 of a deceased naked patient (Patient #3). There was no date or identification of the patient. The patient was identified as Patient #3 and he expired on 8/24/2023. On 9/10/2023 (17 days after the patient expired) the photos were sent to a security officer from a community member via messenger which stated the photos were sent, the pictures were inappropriate, and the individual did not know what to do with the pictures. On 9/11/2023 (18 days after the patient expired) the facility's senior leadership was notified of the pictures and the allegations where the employee was terminated on 9/11/2023. The facility had notified the Health Insurance Portability and Accountability Act (HIPAA) coordinator of the privacy concerns related to the photos but failed to notify Risk Management related to patient rights concerns. NT #1 admitted to taking the pictures and sending the pictures to a community member via social media messenger. There was no security report submitted until 9/20/2023 and a facility occurrence report was not submitted for Risk Management to have been aware of the incident. During the investigation it was found the pictures were taken for a patient who expired on 8/24/2023 without a consent from the patient and shared by social media messenger and text message. The facility had not completed an investigation or provided education related to HIPAA or Patient Rights to facility staff.

Refer to A-0145

Based on review of facility policy, interviews, medical record review, review of facility documentation, the facility failed to ensure the privacy and protection of a deceased patient for 1 patient (#3) where pictures were taken of the patient and sent by social media messenger to an individual without patient consent, for 4 patients reviewed for abuse of 27 patients reviewed.

The findings included:

Review of facility policy 'Adult Abuse Protection and Reporting' last revised 10/2/2021, showed "...Abuse; for the purpose of this policy, the word 'abuse' will be used as an all-inclusive term to include Abuse, Neglect, Exploitation, or Sexual Abuse...[D] Internal Investigations; any allegation, observation or suspected case of Abuse that occurs while a patient is in a [named facility] should be reported immediately to a facility supervisor and to the patient's provider or designee...the supervisor will notify the facility Risk Manager...the team member who is most knowledgeable about the event will complete an incident/occurrence report.."

Review of facility policy, 'Photography, videotaping, or recording' last revised 10/22/2021 "...refers to producing of still imaging, sounds, or moving of images by any means [digital, film, or video, camera, cell phone, tablet, webcam, tape recorder, etc.]...this included photographs, still images, video recordings, digital or any other image method...[B] written consent from the patient or their legal representative must be obtained and placed in the medical record before creating photography, videotaping, and audio recording...[F]any use of patient photography, videotaping, recording must adhere to all applicable polices, practice, and laws...[G] photographs, videotaping, and audio recordings involving patients or the patient's treatment are part of the patient's medical record...[N-workforce] personally owned devices, including, but not limited to iPhone, iPad, Blackberries, and other tablets and smart phones, may not be used to photograph or record patients..."

Review of facility policy 'Social Media Policy' last revised 6/24/2022, showed "...[b] before posting anything, team members should remember that they are responsible for what they post online...[e] if a team member decides to post a complaint or criticism, statements, photographs, video or audio should be avoided that may be reviewed as malicious, obscene, threatening, harassing, or abusive of coworkers, patients, customers, or others that work on behalf or are associated with [named facility]..."

Review of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Corrective Action Plan Procedural Guide, dated 8/1/2022 showed "...level 4: deliberate or purposeful privacy or security violations, noncompliant with the law, with harmful and/or malicious intent...posting information regarding patients publicly such as social media sites whereas the patient is identified or could be identified..."

Review of facility's policy 'Patient Rights' last revised 7/14/2023 showed "...[named facility] is committed to the observance of each patient/resident's rights, personal preference, and values...all persons involved in the care of a patient/resident shall respect and support the patient/resident's rights to competent, considerate, and courteous treatment or serviced within our capacity..."

During an interview on 9/14/2023 at 1:30 PM, the Risk Manager, stated Risk Management was not aware of any concerns related to photos taken without a patient's consent or any concerns related to photos sent by social media messenger. The facility had not had any local police inquiries related to photos of patients. On 9/19/2023 the Risk Manager again stated Risk Management was not aware of any concerns related to photos taken without a patient's consent or any concerns related to photos sent by social media messenger.

During an interview on 9/19/2023 at 10:35 AM, with the Risk Manager, a request to speak with Nursing Technician (NT) #1 related to the NT #1 was named in the complaint. The Risk Manger contacted the 5500 unit director for the NT schedule and it was determined the NT #1 no longer worked at the facility. This surveyor asked if the NT #1 left on her own or if the NT #1 was terminated. It was determined the NT #1 was terminated by the facility on 9/11/2023.

During an interview on 9/19/2023 at 10:55 AM, the Operations Manager for 5500 unit (medical surgical unit) stated on 9/10/2023 an 'ex-friend' (community member #1) of the NT #1 had sent a social media message to a security officer. The ex-friend informed the officer she had received pictures of a deceased patient lying in the bed and naked which were sent by the NT #1. The ex-friend stated NT #1 sent the pictures to her by text message also. The ex-friend stated she did not know what to do, she felt the pictures were inappropriate, and she wanted to remain anonymous and not be involved. The security officer had notified his supervisor on 9/10/2023. On 9/11/2023 the incident was discussed with the operations director and senior leadership in the daily safety huddle. On 9/11/2023 NT #1 was taken to the Human Resource (HR) Department by the Operations Director and security officer to discuss the allegations. The Operations Director stated "...during the conversation [named NT #1] admitted she took the pictures of the patient and sent the pictures by messenger. She stated she was not sure why she took the pictures and send them out...the NT was terminated on 9/11/2023. HR was involved and notified the HIPAA (health insurance portability and accountability act] compliance officer of the incident. The Registered Nurse (RN) and CNA (certified nurse assistant) who assisted with post-mortem care for the patient were interviewed and stated there were no pictures taken of the patient during the post-mortem care..."

During an interview on 9/19/2023 at 11:15 AM, the Vice President (VP) of Risk Management and Risk Manager, stated there were no incident reports filed for related to the incident and security had not filed a report related to the allegations related to the photos to alert Risk Management of a patient rights concern. Risk Management was not aware of the incident, or the allegations and no education had been performed for the staff.

During an interview on 9/19/2023 at 1:55 PM, the HIPAA Campus Manager, stated on 9/11/2023 he received a phone call from the Operations Manager related to concerns [named NT #1] had taken pictures with her cell phone of a deceased patient and had shared the pictures on social media messenger outside of the facility. The ex-friend (community member #1) sent a social media messenger notification to the security officer on 9/10/2023 informing the officer of the pictures, she felt the photos were inappropriate, and asked for assistance. The security officer had notified his supervisor on 9/10/2023. On 9/11/2023 the unit Operations Director and senior leadership were informed of the allegation. At the time of the notification, the facility was not sure of the identity of the patient. He stated he asked for copies of the pictures from the Operations Director and informed the Operations Director to ask the NT #1 and the (community member #1) to delete all of the pictures from their personal phones. The employee was terminated on 9/11/2023. On 9/14/2023, the HIPAA office, HR, and the Operations Director were able to make an identity of the patient whose picture was taken. The patient was identified as Patient #3 who expired on 8/24/2023. A Breach Risk Assessment (assessment to determine how serious the patient may be harmed and the probability of the event happening) was performed. The assessment determined the breach was serious related to privacy concerns and was reportable event to the family, the Department of Health and Human Services, and the office of Civil Rights. Risk Management was not made aware of the allegation related to patient rights. NT #1 was terminated on 9/11/2023. He confirmed no education had been given to the facility staff regarding HIPAA or patient rights after the incident occurred. The HIPPA compliance office would recommend training to the unit director who would then implement the plan of action but this had not occurred. He stated this finding would probably fall under a Level 4 violation of HIPAA Privacy and Security violation related to 'deliberate or purposeful privacy or security violations, noncompliant with the law, with harmful and/or malicious intent'.

Medical record review showed Patient #3 was admitted on 8/10/2023 with previous history of bladder cancer, dyslipidemia (elevated blood cholesterol), and hypertension (elevated blood pressure). The patient's diagnoses included Transaminitis (elevation of liver enzymes), elevated liver enzymes and bilirubin, hyponatremia (low blood sodium levels), thrombocytopenia (elevated white blood count), bladder cancer, and hypertension.

Medical record review of a Hospitalist Progress Note dated 8/24/2023 at 7:55 AM showed the patient had fungemia (fungus in the blood) and he had developed septic shock, renal failure, and worsening encephalopathy (brain dysfunction). The patient had required multiple intravenous fluid bolus over the night with no improvement. The patient's family was offered transfer to the Intensive Care Unit (ICU) but the family declined and elected for comfort care measures.

Medical record review of a Nurses Note dated 8/24/2023 showed the patient was transitioned to comfort care. A Morphine drip (medication used for pain and sedation) was started, the patient was given intravenous (IV) Ativan (medication used for anxiety) and Valium (medication used for anxiety IV. At 12:29 PM the patient expired. Postmortem care completed was completed and the patient was transported to the morgue at 3:25 PM.

Medical record review of a Death Record and Release of Body Authorization form dated 8/24/2023 showed the following:
Time of Death: 12:28 PM
Release to Morgue: 2:15 PM

Review of a Social Media messenger communication thread (which was presented during the investigation) from Community Member #1 to Security Officer #1, the date was not visible, the time was 8:24 PM showed there were 4 different pictures of a deceased nude male patient. There was no identification of the male. The message attached stated "...hello, I am not sure what to do in this situation. I used to be friends with [named NT #1] we would message. She shared photos of a deceased nude patient with me, and to say the least, it made me VERY uncomfortable. I don't even know who talk to about this because I feel like that violated the man's rights. I also want to remain anonymous because I fear retaliation and the mess it would cause...but I feel it is wrong of her to do that..." A response from the security officer #1, with no date or time, showed "...Is handled without you having to do or say anything further. I'm very sorry this happened, and you had to see that. I cannot possibly imagine what made her send you that..." A response from the community member #1 to the Security Officer #1 with no date but timed at 9:53 AM showed two additional pictures a nude male and a text stating "...She also proceeded to send the pictures in a text when I did not respond on Facebook [social media platform]. Made me extremely uncomfortable and it was unwarranted. Thank you for responding and helping me with this situation..."

Review of an electronic media (email) from HR dated 9/19/2023 (completed 8 days after the patient expired) at 10:59 AM showed "...at morning huddle, I found out that team member [NT #1] sent pictures of a deceased unclothed patient to [named community member #1]...her former friend, [named community member #1] sent them to [named Facility A's] security officer, Lt. [security officer #1], who then informed his manager, [named Security Director] of the situation and that is when [named security director] brought her manager, into the situation. They asked to speak with me and the end of huddle and filled me in on the situation as well as [named Chief Nursing Officer and named Assistant Chief Nursing Officer]...I advised them to call Compliance because of the extremity [extreme] of the situation, I felt sure it would fall into the category of immediate termination. [Named Security Director and Operations Director] worked with Compliance, and they gave the authorization to terminate, but wanted a few questions answered first. [Named NT #1] was brought down to HR...first, I asked if she had ever sent pictures of patients to anyone or taken pictures of patients at all. She said no several times and then I specified a deceased nude male and she immediately said she remembered that. She stated the room number. When asked why, [named NT #1] said a former friend text her and asked how her day was and she responded with that picture. She said she had never done that before, and named [Operations Director] asked if she sent the picture to anyone else and if she still had it on her phone and she said no to both. He told her to make sure to delete her deleted photos as well. At that point we gave her a Separation Notice and let her know her employment would be terminated immediately...I did not notify Risk Management because we all ready partnered with Compliance..."

Review of a Security Report dated 9/20/2023 (completed 10 days after the alleged incident was reported) at 11:48 AM showed "...on 9/10/2023 at approximately 10:00 PM, security [named security Major] received a text message from Lieutenant [Lt] [named Security Officer #1] stating he received a message on Facebook showing several pictures of what appeared to be a dead body. The message was sent from [named community member #1], who Lt. does not know. [named community member #1] stated to him that her ex-friend, [NT #1] was the person who sent the pics [pictures] to her. I then took this information and the pictures to the morning huddle on 9/11/2023 and informed [named NT's] manager...and the rest of her chain of command about the incident. It was at this time it was decided for us to rejoin at 10:15 AM in HR and to talk about it with [NT #1]. During the conversation, [named NT #1] stated that she did take the picture and sent it to [named community member #1] and that was the only person it was sent to. HR then terminated her..."

During a telephone interview on 9/19/2023 at 2:15 PM, Registered Nurse (RN) #2 stated the patient was admitted to the facility for 10 days and the patient expired on 8/24/2023. RN #1 stated "...this was [named NT #1] first post-mortem [care after a patient expires] care patient and myself and [named NT #2] assisted her with the patient. I did not see any of the staff using a cell phone and no pictures were taken while in was in the room. There was a delay in transport to take the patient to the morgue for about 1-2 hours where the patient remained on the unit. We had placed the patient in a body bag...I was called by HR Friday [9/15/2023] and asked if I saw anyone taking pictures of the patient..."

During an interview on 9/19/2023 at 2:30 PM, the Director of Security, stated on 9/10/2023 officer [#1] was sent a direct message by social media messenger from the 'ex-friend' of NT #1 around 10:00 PM-10:30 PM. The message included photos of a naked patient and stated 'she did not know what to do with the pictures'. The officer had contacted the director on 9/10/2023. On 9/11/2023 the 5500 unit Operations Director and senior leadership were notified of the pictures during the morning safety huddle who discussed the incident. The Director of Security stated "...the nursing technician [#1] stated this was her first 'dead body' and she had never seen a dead body. She admitted she took the pictures on her cell phone. During the discussion the nursing technician had no emotions, she was very normal in her voice tone..."

During an interview on 9/19/2023 at 2:40 PM, Security Officer #1, stated he received a social media messenger post from (named community member #1) on 9/10/2023 which showed naked pictures of a patient which were reportedly taken by [named NT #1]. He stated "...I knew [named NT #1] related to previous investigation related to domestic violence at the facility, but he did not know [named community member #1]. [Named community member #1] stated she was an ex-friend of [NT #1] and felt the photos were inappropriate and she did not know what to do with the pictures. I called my boss and forwarded the pictures to him that night. We reported the pictures and allegations to the director the next day..." Security Officer #1 confirmed he did not file a report related to the pictures and allegation.

During an interview on 9/19/2023 at 3:05 PM, CNA #1 stated he provided to care for the patient on 8/24/2023. He had assited RN #1 and NT #1 with providing post-mortem care. He stated he had seen NT#1 using her cell phone numerous times prior to the incident but he did not see the NT #1 taking pictures. He stated "...I know she did not take any pictures while we were in the room, but I don't know what happened after that..."

During an interview on 9/19/2023 at 3:45 PM, the Nursing Director of Inpatient Services, stated on 9/10/2023 the security officer was sent pictures by a social media messenger post from a non-employed individual who stated she was sent the pictures of a naked patient by an employed NT. There were no dates on the photos and the patient was not identified. On 9/11/2023, security notified senior leadership of the pictures during the morning safety huddle. NT #1 was taken to the HR department and told about the pictures. The NT did not deny she had taken and sent the pictures. She stated "...the team member had a very strong demeaner during the conversation and did not appear to be upset. She did not mention any specific patient and did not comment when or why she sent the pictures..."

During an interview on 9/20/2023 at 9:15 AM, the Chief Medical Officer stated he had been made aware of the photos being taken and sent by an employee of the facility. A patient consent for photos must be obtained and the photos should be uploaded into the patient's medical record. The sharing of any patient photos by social media would not be appropriate and a violation of facility policy.